Page History

About this document

This document is a brief description of the processing that occurs to authenticate and authorize an HTTP request using Spring Security and the CSF, highlighting features that are useful for application developers to know about.

The processing has two parts. One part is performed by Spring Security, and the other part is performed by CSF code.

Spring Security

Spring Security is part of the Spring Framework and it abstracts authentication and authorization processing in a manner that allows them to be customized for a particular set of requirements. For web applications, Spring Security is "plugged in" as a servlet filter. If the Spring Security servlet filter is configured in the web.xml then Spring Security will be called on each request to the servlet.

Spring Security processing is composed of parts that are assembled into what is called a "filter chain". Those parts are themselves customized by injection of service beans. The filters in an Spring Security filter chain are not the same as servlet filters, although the general concept is the same. The filter chain determines the sequence of authorization and authentication processing, and the inclusion of authentication protocols.

The end result of running the filter chain is that access is either granted or denied to the resource requested. Granted access creates an Spring Security Security Context for the request, which an application may consult for roles and user information collected previously during the Spring Security processing.  Denied access should cause an access denied message to be returned to the user.