The Nature of HttpSecurity
Spring Security 5.4 has a new way of configuring HttpSecurity
.
In fact, you can know that HttpSecurity
is used to build a filter SecurityFilterChain
that contains a series of filter chains, and normally our configuration is based around building SecurityFilterChain
.
From the above diagram, we can see that the built one has to be handed over to FilterChainProxy
to proxy, isn’t it a bit redundant?
The essence of WebSecurity
In some cases this is indeed superfluous, but more often we may need to configure multiple SecurityFilterChain
s to achieve multiple access control policies.
In order to finely manage the life cycle of multiple SecurityFilterChain
, it is necessary to have a unified management agent for these SecurityFilterChain
, which is the meaning of WebSecurity
. Here is the underlying logic of the build
method of WebSecurity
.
|
|
As you can see from the source code above, WebSecurity
is used to build a Spring bean FilterChainProxy
called springSecurityFilterChain
. Its role is to define those requests that ignore security controls and those that must, clearing SecurityContext
when appropriate to avoid memory leaks, and also to define request firewalls and request rejection processors, plus we turn on Spring Seuciry Debug mode which is also configured here.
There is also a role that may not be mentioned in other articles, FilterChainProxy
is the only export of Spring Security to the Spring framework application, which is then combined with a Servlet in Spring’s bridge proxy DelegatingFilterProxy
. which constitutes Spring’s only export to the Servlet system. This isolates Spring Security, Spring framework and Servlet API.
Summary
We can actually consider that WebSecurity
is the only external outlet for Spring Security, while HttpSecurity
is just the way internal security policies are defined; WebSecurity
is aligned to FilterChainProxy
, while HttpSecurity
is aligned to SecurityFilterChain
. SecurityFilterChain
, and their parent class is AbstractConfiguredSecurityBuilder
. After mastering these basically you will know what the difference between them is.
Reference
https://felord.cn/webSecurity-httpSecurity.html