0

I have a question. I have the following configuration

@Configuration
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Autowired
    private DataSource dataSource;

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
      auth.jdbcAuthentication().dataSource(dataSource)
                .usersByUsernameQuery(
                        "select username,password, enabled from user where username=?")
                .authoritiesByUsernameQuery(
                        "select username, role from user inner join role on user.role_id = role.id where username=?").passwordEncoder(passwordencoder());
    }

    @Bean(name="passwordEncoder")
    public Md5PasswordEncoder passwordencoder(){
        return new Md5PasswordEncoder();
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        CharacterEncodingFilter filter = new CharacterEncodingFilter();
        filter.setEncoding("UTF-8");
        filter.setForceEncoding(true);
        http.addFilterBefore(filter,CsrfFilter.class);
        http.
                formLogin()
                .loginPage("/login")
                .defaultSuccessUrl("/add-ticket")
                .failureUrl("/"); 
        http
                .authorizeRequests()
                .antMatchers("/add-ticket").hasRole("ADMIN");
    }
}

And the question is How does Spring security understand what the user role is? I mean, it saves some information in session after authorization or what? For example, it saves username in session and every request it takes the role from DB by username? I didn't understand this point. Can you help?

Mark Rotteveel
  • 100,966
  • 191
  • 140
  • 197
Daimon
  • 345
  • 1
  • 5
  • 21
  • It *understands* what the user role is because you supplied the query for providing that information. If you want to know exactly when and how often that query is executed, you should look at the source code of Spring, and perhaps even step through the code with a debugger. – Andreas May 03 '18 at 18:44
  • But since you didn't provide a [`userCache`](https://docs.spring.io/spring-security/site/docs/4.2.5.RELEASE/apidocs/org/springframework/security/config/annotation/authentication/configurers/provisioning/JdbcUserDetailsManagerConfigurer.html#userCache-org.springframework.security.core.userdetails.UserCache-), it will likely query on every web request. – Andreas May 03 '18 at 18:47
  • But how can it query on every web request if query selects the role by username? Other requests except authorization don't have username field. – Daimon May 03 '18 at 19:06
  • 1
    So you question is really how Spring remember the *user*, not how it understands *roles*. Once the user logs in, the user is stored in a Session attribute and an HTTP cookie identifying the session object is created and received again on any subsequent request, which help Spring Security identify the user. – Andreas May 03 '18 at 21:36

1 Answers1

0

Once user gets authorized Spring keeps his roles in GrantedAuthority objects. E.g. in GrantedAuthority implementation: SimpleGrantedAuthority wchich has only one field -> role.

All authorities are kept in Authentication object wchich is held in SecurityContext wchich is associated with current execution thread.

Krzysztof Majewski
  • 2,494
  • 4
  • 27
  • 51
  • "associated with the current execution thread" - it means something like a session? cause every request is the new thread. – Daimon May 03 '18 at 19:12
  • Here you have a good explanation: https://stackoverflow.com/questions/7173195/how-does-spring-security-manage-securitycontext-in-a-thread-across-web-applicati – Krzysztof Majewski May 03 '18 at 19:19