Skip to main content

Posts

Showing posts from April, 2010

SecurityContextPersistenceFilter

This bean is configured as shown below:
<bean id="securityContextPersistenceFilter" class="org.springframework.security.web.context.SecurityContextPersistenceFilter"/>
This bean has two main tasks and they are very important
In a typical web application like Skyphoto the user will login once and then subsequently do several operations or click several links and buttons generating several authenticated requests to the server. Since the user was authenticated once it is important to store the security context somewhere and by some means. Otherwise he/she has to authenticate for each request and will sooner or later never use Skyphoto. In a typical web application you will store an user object in HttpSession and each time a request comes in, the server identifies this session with a session id and you get the user object. It is the responsibility of the server to cache/store and manage these session objects during the lifetime of the session.“In Spring Security,…

How the filter chain works?

Going back to the filter chain configuration in my last post, you can see a chain filters configured as shown below:
<bean id="springSecurityFilterChain" class="org.springframework.security.web.FilterChainProxy">
<sec:filter-chain-map path-type="ant">
<sec:filter-chain pattern="/SkyPhotoWeb/**" filters=" securityContextPersistenceFilterWithASCFalse, basicAuthenticationFilter, exceptionTranslationFilter, filterSecurityInterceptor" />
<sec:filter-chain pattern="/**" filters=" securityContextPersistenceFilterWithASCTrue, formLoginFilter, exceptionTranslationFilter, filterSecurityInterceptor" />
</sec:filter-chain-map>
</bean>
Let us assume that a request is send as http://www.skyphoto.com/SkyPhotoWeb/dosomething.html the request runs through the filters as shown in picture below:

In my next post I will explain all these and few other important filters in greater detail.