Security concern pertains to lots of layers of an application and therefore is considered to be a cross-cutting.
Depending on what is secured, Spring Security framework internals differ:
- Method invocation is declarative and is implemented using AOP proxies (proxy object wraps secured one and applies implemented advices at particular join-points).
- Web-layer security is implemented using a hierarchy of 𝐅𝐢𝐥𝐭𝐞𝐫 instances.
Web-layer filter security hierarchy is the following:
A single instance of 𝐃𝐞𝐥𝐞𝐠𝐚𝐭𝐢𝐧𝐠𝐅𝐢𝐥𝐭𝐞𝐫𝐏𝐫𝐨𝐱𝐲 is installed into the servlet container's filter chain.
This filter is 𝐧𝐨𝐭 a Spring bean, its lifecycle is managed by the servlet container.
Usually, this filter is created by the Spring Security framework itself.
𝐃𝐞𝐥𝐞𝐠𝐚𝐭𝐢𝐧𝐠𝐅𝐢𝐥𝐭𝐞𝐫𝐏𝐫𝐨𝐱𝐲 delegates filtering functionality to a single instance of 𝐅𝐢𝐥𝐭𝐞𝐫𝐂𝐡𝐚𝐢𝐧𝐏𝐫𝐨𝐱𝐲 which 𝐢𝐬 a Spring bean,
thus lifecycle of it is managed by 𝐀𝐩𝐩𝐥𝐢𝐜𝐚𝐭𝐢𝐨𝐧𝐂𝐨𝐧𝐭𝐞𝐱𝐭.
𝐅𝐢𝐥𝐭𝐞𝐫𝐂𝐡𝐚𝐢𝐧𝐏𝐫𝐨𝐱𝐲 holds a list of 𝐒𝐞𝐜𝐮𝐫𝐢𝐭𝐲𝐅𝐢𝐥𝐭𝐞𝐫𝐂𝐡𝐚𝐢𝐧 which contain all security logic.
Only 𝐨𝐧𝐞 security filter chain can process a single web request.
#spring #certificationquestion #vcp