Spring Security ‐ Authentication
In this tutorial, we're going to illustrate the architecture Authentication of Spring Security and details about some basic classes and interfaces.
- Supports two types of authentication:
- Basic HTTP Authentication (https://datatracker.ietf.org/doc/html/rfc7617 - transmits credentials as user-id/password pairs, encoded using Base64).
- JWT
- To obtain a JWT, the application has public 3 endpoints that do not require authentication to get a token:
- Provides the username and password information:
/api/v1/auth/signup,/api/v1/auth/signin
- Provides the username and password information:
- Login through Google account. The client will send a request to the front end (Postman), then the front end will use the token (idToken) to send to the application for authentication:
/api/v1/auth/signin/google
- The client sends a request to the application, and the container creates a FilterChain, which contains the Filter instances and Servlet that should process the HttpServletRequest, based on the path of the request URI.
- Spring provides a Filter implementation named DelegatingFilterProxy that allows bridging between the Servlet container’s lifecycle and Spring’s ApplicationContext.
- FilterChainProxy is a special Filter provided by Spring Security that allows delegating to many Filter instances through SecurityFilterChain. It is typically wrapped in a DelegatingFilterProxy.
- SecurityFilterChain is used by FilterChainProxy to determine which Spring Security Filter instances should be invoked for the current request.
- Architecture of common Authentication filter
- JwtAuthenticationFilter
