tessl/maven-org-springframework-security--spring-security-web
Spring Security Web module provides comprehensive web security features for Spring-based applications, including servlet-based authentication, authorization, CSRF protection, session management, and security filter chain implementation
- Workspace
- tessl
- Visibility
- Public
- Created
- Last updated
'%3e%3cpath%20d='m7.15%205.779.281.877c-.001.502.003.991.124%201.48l.116-.082.229-1.265c.723%201.422%202.78%203.325%202.53%205.008-.022.154-.082.3-.158.435.349-.014.375-.38.578-.56.187%201.005.17%201.975-.22%202.932l1.428%203.159c-.007.07-.626.285-.744.226-.087-.044-.629-1.506-.742-1.754-.103-.224-.457-1.044-.592-1.165-.592-.534-2.033-.183-2.773-.256l.488-.115.148-.109c-.68-.08-1.363-.34-1.85-.815.531.046%201.052.121%201.592.087.1-.006.378-.02.432-.114-1.338-.016-2.398-.569-3.16-1.62-1.03-1.422-1.646-3.215-2.658-4.662-.203-.289-.474-.68-.776-.847-.015-.092.076-.054.137-.049.375.034.778.157%201.148.234l1.26.462c-.404-.737-1.332-.637-1.984-.994-.759-.416-1.2-1.386-1.487-2.149-.258-.68-.536-1.495-.492-2.217.282.262.529.573.896.73.087-.102-.838-1.102-.867-1.323C-.051.673.656-.051%201.328.003c1.128.09%202.44%201.953%202.87%202.886.074.069.145-.23.149-.25.029-.154.01-.306.054-.452.67.932%201.64%201.722%202.122%202.768l.626%201.778V5.78Z'/%3e%3cpath%20d='m10.851%206.733.626-1.778c.483-1.047%201.451-1.836%202.122-2.769.045.147.025.299.054.452.005.021.075.32.149.25.43-.932%201.742-2.796%202.87-2.885.672-.054%201.38.67%201.294%201.31-.03.22-.954%201.221-.867%201.322.367-.156.614-.467.896-.729.044.722-.234%201.536-.49%202.218-.288.763-.73%201.733-1.488%202.149-.652.356-1.58.256-1.984.993l1.26-.461c.37-.077.772-.2%201.148-.234.06-.006.152-.044.136.049-.301.166-.573.557-.775.847-.794%201.135-1.347%202.488-2.049%203.68-.635%201.081-1.285%202.087-2.613%202.432.148-.768.005-1.562-.173-2.316l-.32-.092c-.219-1.088-.84-2.001-1.466-2.908l.919-1.475.229%201.265.116.082c.12-.489.125-.979.123-1.48l.283-.877v.955ZM8.017%2014.984c-.238.57-.531%201.119-.78%201.686-.089.204-.446%201.24-.518%201.295-.145.114-.622-.087-.777-.2l1.207-2.78h.868ZM12.008%2013.75c-.059.174-.949.7-1.04.617l.12-.5.92-.117Z'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='a'%3e%3cpath%20fill='%23fff'%20d='M0%200h18v18H0z'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e){kind=small}
To install, run
npx @tessl/cli install tessl/maven-org-springframework-security--spring-security-web@6.5.0index.mddocs/
Spring Security Web
Spring Security Web module provides comprehensive web security features for Spring-based applications, including servlet-based authentication, authorization, CSRF protection, session management, and security filter chain implementation. It serves as the core web security infrastructure for both traditional servlet-based and reactive Spring applications.
Package Information
-
Package Name: org.springframework.security:spring-security-web
-
Package Type: Maven
-
Language: Java
-
Installation:
Maven:
<dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-web</artifactId> <version>6.5.1</version> </dependency>Gradle:
implementation 'org.springframework.security:spring-security-web:6.5.1'
Core Imports
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.FilterChainProxy;
import org.springframework.security.web.AuthenticationEntryPoint;
import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
import org.springframework.security.web.authentication.AuthenticationFailureHandler;
import org.springframework.security.web.access.AccessDeniedHandler;
import org.springframework.security.web.csrf.CsrfFilter;
import org.springframework.security.web.context.SecurityContextRepository;Basic Usage
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
import org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint;
import org.springframework.security.web.csrf.CsrfFilter;
import org.springframework.security.web.context.HttpSessionSecurityContextRepository;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
// Basic filter chain configuration
public class SecurityConfig {
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
return http
.authorizeHttpRequests(auth -> auth
.requestMatchers("/login", "/public/**").permitAll()
.anyRequest().authenticated()
)
.formLogin(form -> form
.loginPage("/login")
.defaultSuccessUrl("/dashboard")
)
.csrf(csrf -> csrf
.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
)
.build();
}
}
// Manual filter chain setup
List<Filter> filters = Arrays.asList(
new SecurityContextHolderFilter(new HttpSessionSecurityContextRepository()),
new CsrfFilter(new HttpSessionCsrfTokenRepository()),
new UsernamePasswordAuthenticationFilter()
);
SecurityFilterChain chain = new DefaultSecurityFilterChain(
new AntPathRequestMatcher("/**"),
filters
);
FilterChainProxy proxy = new FilterChainProxy(chain);Architecture
Spring Security Web is built around a filter chain architecture that processes HTTP requests through a series of security filters. Key architectural components:
- Filter Chain Proxy: Central dispatcher that manages multiple security filter chains
- Security Filter Chains: Collections of filters that handle specific security concerns
- Authentication Framework: Pluggable authentication mechanisms and handlers
- Authorization Framework: Access control and privilege evaluation
- Security Context Management: Thread-safe security context storage and retrieval
- CSRF Protection: Cross-site request forgery prevention
- Session Management: HTTP session security controls
- Reactive Support: WebFlux integration for reactive applications
Capabilities
Core Filter Chain Infrastructure
The foundation of Spring Security's web security, providing filter chain management and request processing orchestration.
public interface SecurityFilterChain {
boolean matches(HttpServletRequest request);
List<Filter> getFilters();
}
public class FilterChainProxy extends GenericFilterBean {
public FilterChainProxy(List<SecurityFilterChain> filterChains);
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain);
public List<SecurityFilterChain> getFilterChains();
public void setFirewall(HttpFirewall firewall);
}
public class DefaultSecurityFilterChain implements SecurityFilterChain {
public DefaultSecurityFilterChain(RequestMatcher requestMatcher, Filter... filters);
public DefaultSecurityFilterChain(RequestMatcher requestMatcher, List<Filter> filters);
}Filter Chain and Security Infrastructure
Authentication Framework
Comprehensive authentication mechanisms including form-based, HTTP Basic, and pluggable authentication converters.
public interface AuthenticationSuccessHandler {
void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response,
Authentication authentication) throws IOException, ServletException;
}
public interface AuthenticationFailureHandler {
void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response,
AuthenticationException exception) throws IOException, ServletException;
}
public class UsernamePasswordAuthenticationFilter extends AbstractAuthenticationProcessingFilter {
public static final String SPRING_SECURITY_FORM_USERNAME_KEY = "username";
public static final String SPRING_SECURITY_FORM_PASSWORD_KEY = "password";
public void setUsernameParameter(String usernameParameter);
public void setPasswordParameter(String passwordParameter);
}Access Control and Authorization
Access control mechanisms, exception handling, and privilege evaluation for web resources.
public interface AccessDeniedHandler {
void handle(HttpServletRequest request, HttpServletResponse response,
AccessDeniedException accessDeniedException) throws IOException, ServletException;
}
public class ExceptionTranslationFilter extends GenericFilterBean {
public void setAuthenticationEntryPoint(AuthenticationEntryPoint authenticationEntryPoint);
public void setAccessDeniedHandler(AccessDeniedHandler accessDeniedHandler);
public void setRequestCache(RequestCache requestCache);
}
public interface WebInvocationPrivilegeEvaluator {
boolean isAllowed(String uri, Authentication authentication);
boolean isAllowed(HttpServletRequest request, Authentication authentication);
}Access Control and Authorization
CSRF Protection
Cross-Site Request Forgery protection with token-based validation and multiple storage strategies.
public interface CsrfToken {
String getToken();
String getParameterName();
String getHeaderName();
}
public interface CsrfTokenRepository {
CsrfToken generateToken(HttpServletRequest request);
void saveToken(CsrfToken token, HttpServletRequest request, HttpServletResponse response);
CsrfToken loadToken(HttpServletRequest request);
}
public class CsrfFilter extends OncePerRequestFilter {
public void setCsrfTokenRepository(CsrfTokenRepository csrfTokenRepository);
public void setRequireCsrfProtectionMatcher(RequestMatcher requireCsrfProtectionMatcher);
}Security Context Management
Thread-safe security context storage, persistence, and lifecycle management across HTTP requests.
public interface SecurityContextRepository {
SecurityContext loadContext(HttpRequestResponseHolder requestResponseHolder);
void saveContext(SecurityContext context, HttpServletRequest request, HttpServletResponse response);
boolean containsContext(HttpServletRequest request);
}
public class SecurityContextHolderFilter extends GenericFilterBean {
public SecurityContextHolderFilter(SecurityContextRepository securityContextRepository);
public void setSecurityContextHolderStrategy(SecurityContextHolderStrategy securityContextHolderStrategy);
}
public class HttpSessionSecurityContextRepository implements SecurityContextRepository {
public void setAllowSessionCreation(boolean allowSessionCreation);
public void setDisableUrlRewriting(boolean disableUrlRewriting);
public void setSpringSecurityContextKey(String springSecurityContextKey);
}Session Management
HTTP session security controls including concurrent session management, session fixation protection, and invalid session handling.
public class SessionManagementFilter extends GenericFilterBean {
public void setInvalidSessionStrategy(InvalidSessionStrategy invalidSessionStrategy);
public void setSessionInformationExpiredStrategy(SessionInformationExpiredStrategy sessionInformationExpiredStrategy);
}
public interface InvalidSessionStrategy {
void onInvalidSessionDetected(HttpServletRequest request, HttpServletResponse response)
throws IOException, ServletException;
}
public interface SessionInformationExpiredStrategy {
void onExpiredSessionDetected(SessionInformationExpiredEvent event)
throws IOException, ServletException;
}Request Validation and Firewall
HTTP request validation, sanitization, and attack prevention through configurable firewall rules.
public interface HttpFirewall {
FirewalledRequest getFirewalledRequest(HttpServletRequest request) throws RequestRejectedException;
HttpServletResponse getFirewalledResponse(HttpServletResponse response);
}
public class StrictHttpFirewall implements HttpFirewall {
public void setAllowUrlEncodedSlash(boolean allowUrlEncodedSlash);
public void setAllowUrlEncodedPercent(boolean allowUrlEncodedPercent);
public void setAllowSemicolon(boolean allowSemicolon);
public void setUnsafeAllowAnyHttpMethod(boolean unsafeAllowAnyHttpMethod);
}
public interface RequestRejectedHandler {
void handle(HttpServletRequest request, HttpServletResponse response,
RequestRejectedException requestRejectedException) throws IOException, ServletException;
}Request Validation and Firewall
Request Matching and Utilities
Flexible request matching capabilities and utility classes for URL manipulation, text escaping, and security operations.
public interface RequestMatcher {
boolean matches(HttpServletRequest request);
default MatchResult matcher(HttpServletRequest request);
}
public class AntPathRequestMatcher implements RequestMatcher {
public AntPathRequestMatcher(String pattern);
public AntPathRequestMatcher(String pattern, String httpMethod);
public AntPathRequestMatcher(String pattern, String httpMethod, boolean caseSensitive);
}
public final class UrlUtils {
public static String buildRequestUrl(HttpServletRequest request);
public static String buildFullRequestUrl(HttpServletRequest request);
public static boolean isAbsoluteUrl(String url);
}Request Matching and Utilities
Reactive Web Security
Reactive programming support for WebFlux applications with non-blocking security filters and handlers.
public interface SecurityWebFilterChain {
boolean matches(ServerWebExchange exchange);
Flux<WebFilter> getWebFilters();
}
public class WebFilterChainProxy implements WebFilter {
public WebFilterChainProxy(List<SecurityWebFilterChain> filters);
public Mono<Void> filter(ServerWebExchange exchange, WebFilterChain chain);
public void setFirewall(ServerHttpFirewall firewall);
}
public interface ServerAuthenticationEntryPoint {
Mono<Void> commence(ServerWebExchange exchange, AuthenticationException ex);
}Types
// Core filter chain types
public interface Filter {
void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
throws IOException, ServletException;
}
public interface FilterChain {
void doFilter(ServletRequest request, ServletResponse response)
throws IOException, ServletException;
}
// Security context types
@FunctionalInterface
public interface SecurityContextHolderStrategy {
SecurityContext getContext();
void setContext(SecurityContext context);
SecurityContext createEmptyContext();
void clearContext();
}
// Authentication types
public interface Authentication extends Principal, Serializable {
Collection<? extends GrantedAuthority> getAuthorities();
Object getCredentials();
Object getDetails();
Object getPrincipal();
boolean isAuthenticated();
void setAuthenticated(boolean isAuthenticated) throws IllegalArgumentException;
}
public class AuthenticationException extends RuntimeException {
public AuthenticationException(String msg);
public AuthenticationException(String msg, Throwable cause);
}
// Request/Response holders
public class HttpRequestResponseHolder {
public HttpRequestResponseHolder(HttpServletRequest request, HttpServletResponse response);
public HttpServletRequest getRequest();
public HttpServletResponse getResponse();
}
// Reactive types (for WebFlux support)
public interface ServerWebExchange {
ServerHttpRequest getRequest();
ServerHttpResponse getResponse();
Map<String, Object> getAttributes();
Mono<WebSession> getSession();
}
// Authentication Manager types
public interface AuthenticationManager {
Authentication authenticate(Authentication authentication) throws AuthenticationException;
}
public interface AuthenticationManagerResolver<T> {
AuthenticationManager resolve(T context);
}
// Grant Authority types
public interface GrantedAuthority extends Serializable {
String getAuthority();
}
public class SimpleGrantedAuthority implements GrantedAuthority {
public SimpleGrantedAuthority(String role);
public String getAuthority();
}
// Request Cache types
public interface RequestCache {
void saveRequest(HttpServletRequest request, HttpServletResponse response);
SavedRequest getRequest(HttpServletRequest request, HttpServletResponse response);
HttpServletRequest getMatchingRequest(HttpServletRequest request, HttpServletResponse response);
void removeRequest(HttpServletRequest request, HttpServletResponse response);
}
public interface SavedRequest extends Serializable {
String getRedirectUrl();
List<Cookie> getCookies();
String getMethod();
List<String> getHeaderValues(String name);
Collection<String> getHeaderNames();
List<Locale> getLocales();
String[] getParameterValues(String name);
Map<String, String[]> getParameterMap();
}