🍃🎓 SPRING CERTIFICATION QUESTION: Is security a cross-cutting concern? How is it implemented internally?

Answer:

Security concern pertains to lots of layers of an application and therefore is considered to be a cross-cutting.

Depending on what is secured, Spring Security framework internals differ:

1. Method invocation is declarative and is implemented using AOP proxies (proxy object wraps secured one and applies implemented advices at particular join-points).
2. Web-layer security is implemented using a hierarchy of 𝐅𝐢𝐥𝐭𝐞𝐫 instances.

Web-layer filter security hierarchy is the following:

A single instance of 𝐃𝐞𝐥𝐞𝐠𝐚𝐭𝐢𝐧𝐠𝐅𝐢𝐥𝐭𝐞𝐫𝐏𝐫𝐨𝐱𝐲 is installed into the servlet container's filter chain.

This filter is 𝐧𝐨𝐭 a Spring bean, its lifecycle is managed by the servlet container.

Usually, this filter is created by the Spring Security framework itself.

𝐃𝐞𝐥𝐞𝐠𝐚𝐭𝐢𝐧𝐠𝐅𝐢𝐥𝐭𝐞𝐫𝐏𝐫𝐨𝐱𝐲 delegates filtering functionality to a single instance of 𝐅𝐢𝐥𝐭𝐞𝐫𝐂𝐡𝐚𝐢𝐧𝐏𝐫𝐨𝐱𝐲 which 𝐢𝐬 a Spring bean,

thus lifecycle of it is managed by 𝐀𝐩𝐩𝐥𝐢𝐜𝐚𝐭𝐢𝐨𝐧𝐂𝐨𝐧𝐭𝐞𝐱𝐭.

𝐅𝐢𝐥𝐭𝐞𝐫𝐂𝐡𝐚𝐢𝐧𝐏𝐫𝐨𝐱𝐲 holds a list of 𝐒𝐞𝐜𝐮𝐫𝐢𝐭𝐲𝐅𝐢𝐥𝐭𝐞𝐫𝐂𝐡𝐚𝐢𝐧 which contain all security logic.

Only 𝐨𝐧𝐞 security filter chain can process a single web request.

#spring #certificationquestion #vcp

The Security Filter Chain 👉 https://lnkd.in/epdCeihttps://docs.spring.io/spring-security/site/docs/3.1.4.RELEASE/reference/security-filter-chain.html