tessl/maven-org-springframework-security--spring-security-web
Spring Security Web module provides comprehensive web security features for Spring-based applications, including servlet-based authentication, authorization, CSRF protection, session management, and security filter chain implementation
—
Pending
Quality
Pending
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Securityby
Pending
The risk profile of this skill
Spring Security Web
Spring Security Web module provides comprehensive web security features for Spring-based applications, including servlet-based authentication, authorization, CSRF protection, session management, and security filter chain implementation. It serves as the core web security infrastructure for both traditional servlet-based and reactive Spring applications.
Package Information
-
Package Name: org.springframework.security:spring-security-web
-
Package Type: Maven
-
Language: Java
-
Installation:
Maven:
<dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-web</artifactId> <version>6.5.1</version> </dependency>Gradle:
implementation 'org.springframework.security:spring-security-web:6.5.1'
Core Imports
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.FilterChainProxy;
import org.springframework.security.web.AuthenticationEntryPoint;
import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
import org.springframework.security.web.authentication.AuthenticationFailureHandler;
import org.springframework.security.web.access.AccessDeniedHandler;
import org.springframework.security.web.csrf.CsrfFilter;
import org.springframework.security.web.context.SecurityContextRepository;Basic Usage
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
import org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint;
import org.springframework.security.web.csrf.CsrfFilter;
import org.springframework.security.web.context.HttpSessionSecurityContextRepository;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
// Basic filter chain configuration
public class SecurityConfig {
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
return http
.authorizeHttpRequests(auth -> auth
.requestMatchers("/login", "/public/**").permitAll()
.anyRequest().authenticated()
)
.formLogin(form -> form
.loginPage("/login")
.defaultSuccessUrl("/dashboard")
)
.csrf(csrf -> csrf
.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
)
.build();
}
}
// Manual filter chain setup
List<Filter> filters = Arrays.asList(
new SecurityContextHolderFilter(new HttpSessionSecurityContextRepository()),
new CsrfFilter(new HttpSessionCsrfTokenRepository()),
new UsernamePasswordAuthenticationFilter()
);
SecurityFilterChain chain = new DefaultSecurityFilterChain(
new AntPathRequestMatcher("/**"),
filters
);
FilterChainProxy proxy = new FilterChainProxy(chain);Architecture
Spring Security Web is built around a filter chain architecture that processes HTTP requests through a series of security filters. Key architectural components:
- Filter Chain Proxy: Central dispatcher that manages multiple security filter chains
- Security Filter Chains: Collections of filters that handle specific security concerns
- Authentication Framework: Pluggable authentication mechanisms and handlers
- Authorization Framework: Access control and privilege evaluation
- Security Context Management: Thread-safe security context storage and retrieval
- CSRF Protection: Cross-site request forgery prevention
- Session Management: HTTP session security controls
- Reactive Support: WebFlux integration for reactive applications
Capabilities
Core Filter Chain Infrastructure
The foundation of Spring Security's web security, providing filter chain management and request processing orchestration.
public interface SecurityFilterChain {
boolean matches(HttpServletRequest request);
List<Filter> getFilters();
}
public class FilterChainProxy extends GenericFilterBean {
public FilterChainProxy(List<SecurityFilterChain> filterChains);
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain);
public List<SecurityFilterChain> getFilterChains();
public void setFirewall(HttpFirewall firewall);
}
public class DefaultSecurityFilterChain implements SecurityFilterChain {
public DefaultSecurityFilterChain(RequestMatcher requestMatcher, Filter... filters);
public DefaultSecurityFilterChain(RequestMatcher requestMatcher, List<Filter> filters);
}Filter Chain and Security Infrastructure
Authentication Framework
Comprehensive authentication mechanisms including form-based, HTTP Basic, and pluggable authentication converters.
public interface AuthenticationSuccessHandler {
void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response,
Authentication authentication) throws IOException, ServletException;
}
public interface AuthenticationFailureHandler {
void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response,
AuthenticationException exception) throws IOException, ServletException;
}
public class UsernamePasswordAuthenticationFilter extends AbstractAuthenticationProcessingFilter {
public static final String SPRING_SECURITY_FORM_USERNAME_KEY = "username";
public static final String SPRING_SECURITY_FORM_PASSWORD_KEY = "password";
public void setUsernameParameter(String usernameParameter);
public void setPasswordParameter(String passwordParameter);
}Access Control and Authorization
Access control mechanisms, exception handling, and privilege evaluation for web resources.
public interface AccessDeniedHandler {
void handle(HttpServletRequest request, HttpServletResponse response,
AccessDeniedException accessDeniedException) throws IOException, ServletException;
}
public class ExceptionTranslationFilter extends GenericFilterBean {
public void setAuthenticationEntryPoint(AuthenticationEntryPoint authenticationEntryPoint);
public void setAccessDeniedHandler(AccessDeniedHandler accessDeniedHandler);
public void setRequestCache(RequestCache requestCache);
}
public interface WebInvocationPrivilegeEvaluator {
boolean isAllowed(String uri, Authentication authentication);
boolean isAllowed(HttpServletRequest request, Authentication authentication);
}Access Control and Authorization
CSRF Protection
Cross-Site Request Forgery protection with token-based validation and multiple storage strategies.
public interface CsrfToken {
String getToken();
String getParameterName();
String getHeaderName();
}
public interface CsrfTokenRepository {
CsrfToken generateToken(HttpServletRequest request);
void saveToken(CsrfToken token, HttpServletRequest request, HttpServletResponse response);
CsrfToken loadToken(HttpServletRequest request);
}
public class CsrfFilter extends OncePerRequestFilter {
public void setCsrfTokenRepository(CsrfTokenRepository csrfTokenRepository);
public void setRequireCsrfProtectionMatcher(RequestMatcher requireCsrfProtectionMatcher);
}Security Context Management
Thread-safe security context storage, persistence, and lifecycle management across HTTP requests.
public interface SecurityContextRepository {
SecurityContext loadContext(HttpRequestResponseHolder requestResponseHolder);
void saveContext(SecurityContext context, HttpServletRequest request, HttpServletResponse response);
boolean containsContext(HttpServletRequest request);
}
public class SecurityContextHolderFilter extends GenericFilterBean {
public SecurityContextHolderFilter(SecurityContextRepository securityContextRepository);
public void setSecurityContextHolderStrategy(SecurityContextHolderStrategy securityContextHolderStrategy);
}
public class HttpSessionSecurityContextRepository implements SecurityContextRepository {
public void setAllowSessionCreation(boolean allowSessionCreation);
public void setDisableUrlRewriting(boolean disableUrlRewriting);
public void setSpringSecurityContextKey(String springSecurityContextKey);
}Session Management
HTTP session security controls including concurrent session management, session fixation protection, and invalid session handling.
public class SessionManagementFilter extends GenericFilterBean {
public void setInvalidSessionStrategy(InvalidSessionStrategy invalidSessionStrategy);
public void setSessionInformationExpiredStrategy(SessionInformationExpiredStrategy sessionInformationExpiredStrategy);
}
public interface InvalidSessionStrategy {
void onInvalidSessionDetected(HttpServletRequest request, HttpServletResponse response)
throws IOException, ServletException;
}
public interface SessionInformationExpiredStrategy {
void onExpiredSessionDetected(SessionInformationExpiredEvent event)
throws IOException, ServletException;
}Request Validation and Firewall
HTTP request validation, sanitization, and attack prevention through configurable firewall rules.
public interface HttpFirewall {
FirewalledRequest getFirewalledRequest(HttpServletRequest request) throws RequestRejectedException;
HttpServletResponse getFirewalledResponse(HttpServletResponse response);
}
public class StrictHttpFirewall implements HttpFirewall {
public void setAllowUrlEncodedSlash(boolean allowUrlEncodedSlash);
public void setAllowUrlEncodedPercent(boolean allowUrlEncodedPercent);
public void setAllowSemicolon(boolean allowSemicolon);
public void setUnsafeAllowAnyHttpMethod(boolean unsafeAllowAnyHttpMethod);
}
public interface RequestRejectedHandler {
void handle(HttpServletRequest request, HttpServletResponse response,
RequestRejectedException requestRejectedException) throws IOException, ServletException;
}Request Validation and Firewall
Request Matching and Utilities
Flexible request matching capabilities and utility classes for URL manipulation, text escaping, and security operations.
public interface RequestMatcher {
boolean matches(HttpServletRequest request);
default MatchResult matcher(HttpServletRequest request);
}
public class AntPathRequestMatcher implements RequestMatcher {
public AntPathRequestMatcher(String pattern);
public AntPathRequestMatcher(String pattern, String httpMethod);
public AntPathRequestMatcher(String pattern, String httpMethod, boolean caseSensitive);
}
public final class UrlUtils {
public static String buildRequestUrl(HttpServletRequest request);
public static String buildFullRequestUrl(HttpServletRequest request);
public static boolean isAbsoluteUrl(String url);
}Request Matching and Utilities
Reactive Web Security
Reactive programming support for WebFlux applications with non-blocking security filters and handlers.
public interface SecurityWebFilterChain {
boolean matches(ServerWebExchange exchange);
Flux<WebFilter> getWebFilters();
}
public class WebFilterChainProxy implements WebFilter {
public WebFilterChainProxy(List<SecurityWebFilterChain> filters);
public Mono<Void> filter(ServerWebExchange exchange, WebFilterChain chain);
public void setFirewall(ServerHttpFirewall firewall);
}
public interface ServerAuthenticationEntryPoint {
Mono<Void> commence(ServerWebExchange exchange, AuthenticationException ex);
}Types
// Core filter chain types
public interface Filter {
void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
throws IOException, ServletException;
}
public interface FilterChain {
void doFilter(ServletRequest request, ServletResponse response)
throws IOException, ServletException;
}
// Security context types
@FunctionalInterface
public interface SecurityContextHolderStrategy {
SecurityContext getContext();
void setContext(SecurityContext context);
SecurityContext createEmptyContext();
void clearContext();
}
// Authentication types
public interface Authentication extends Principal, Serializable {
Collection<? extends GrantedAuthority> getAuthorities();
Object getCredentials();
Object getDetails();
Object getPrincipal();
boolean isAuthenticated();
void setAuthenticated(boolean isAuthenticated) throws IllegalArgumentException;
}
public class AuthenticationException extends RuntimeException {
public AuthenticationException(String msg);
public AuthenticationException(String msg, Throwable cause);
}
// Request/Response holders
public class HttpRequestResponseHolder {
public HttpRequestResponseHolder(HttpServletRequest request, HttpServletResponse response);
public HttpServletRequest getRequest();
public HttpServletResponse getResponse();
}
// Reactive types (for WebFlux support)
public interface ServerWebExchange {
ServerHttpRequest getRequest();
ServerHttpResponse getResponse();
Map<String, Object> getAttributes();
Mono<WebSession> getSession();
}
// Authentication Manager types
public interface AuthenticationManager {
Authentication authenticate(Authentication authentication) throws AuthenticationException;
}
public interface AuthenticationManagerResolver<T> {
AuthenticationManager resolve(T context);
}
// Grant Authority types
public interface GrantedAuthority extends Serializable {
String getAuthority();
}
public class SimpleGrantedAuthority implements GrantedAuthority {
public SimpleGrantedAuthority(String role);
public String getAuthority();
}
// Request Cache types
public interface RequestCache {
void saveRequest(HttpServletRequest request, HttpServletResponse response);
SavedRequest getRequest(HttpServletRequest request, HttpServletResponse response);
HttpServletRequest getMatchingRequest(HttpServletRequest request, HttpServletResponse response);
void removeRequest(HttpServletRequest request, HttpServletResponse response);
}
public interface SavedRequest extends Serializable {
String getRedirectUrl();
List<Cookie> getCookies();
String getMethod();
List<String> getHeaderValues(String name);
Collection<String> getHeaderNames();
List<Locale> getLocales();
String[] getParameterValues(String name);
Map<String, String[]> getParameterMap();
}- Workspace
- tessl
- Visibility
- Public
- Created
- Last updated
- Publish Source
- CLI
- Badge
'%3e%3cpath%20d='m7.15%205.779.281.877c-.001.502.003.991.124%201.48l.116-.082.229-1.265c.723%201.422%202.78%203.325%202.53%205.008-.022.154-.082.3-.158.435.349-.014.375-.38.578-.56.187%201.005.17%201.975-.22%202.932l1.428%203.159c-.007.07-.626.285-.744.226-.087-.044-.629-1.506-.742-1.754-.103-.224-.457-1.044-.592-1.165-.592-.534-2.033-.183-2.773-.256l.488-.115.148-.109c-.68-.08-1.363-.34-1.85-.815.531.046%201.052.121%201.592.087.1-.006.378-.02.432-.114-1.338-.016-2.398-.569-3.16-1.62-1.03-1.422-1.646-3.215-2.658-4.662-.203-.289-.474-.68-.776-.847-.015-.092.076-.054.137-.049.375.034.778.157%201.148.234l1.26.462c-.404-.737-1.332-.637-1.984-.994-.759-.416-1.2-1.386-1.487-2.149-.258-.68-.536-1.495-.492-2.217.282.262.529.573.896.73.087-.102-.838-1.102-.867-1.323C-.051.673.656-.051%201.328.003c1.128.09%202.44%201.953%202.87%202.886.074.069.145-.23.149-.25.029-.154.01-.306.054-.452.67.932%201.64%201.722%202.122%202.768l.626%201.778V5.78Z'/%3e%3cpath%20d='m10.851%206.733.626-1.778c.483-1.047%201.451-1.836%202.122-2.769.045.147.025.299.054.452.005.021.075.32.149.25.43-.932%201.742-2.796%202.87-2.885.672-.054%201.38.67%201.294%201.31-.03.22-.954%201.221-.867%201.322.367-.156.614-.467.896-.729.044.722-.234%201.536-.49%202.218-.288.763-.73%201.733-1.488%202.149-.652.356-1.58.256-1.984.993l1.26-.461c.37-.077.772-.2%201.148-.234.06-.006.152-.044.136.049-.301.166-.573.557-.775.847-.794%201.135-1.347%202.488-2.049%203.68-.635%201.081-1.285%202.087-2.613%202.432.148-.768.005-1.562-.173-2.316l-.32-.092c-.219-1.088-.84-2.001-1.466-2.908l.919-1.475.229%201.265.116.082c.12-.489.125-.979.123-1.48l.283-.877v.955ZM8.017%2014.984c-.238.57-.531%201.119-.78%201.686-.089.204-.446%201.24-.518%201.295-.145.114-.622-.087-.777-.2l1.207-2.78h.868ZM12.008%2013.75c-.059.174-.949.7-1.04.617l.12-.5.92-.117Z'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='a'%3e%3cpath%20fill='%23fff'%20d='M0%200h18v18H0z'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e){kind=small}
