스프링 시큐리티를 내 스프링 프로젝트에서 사용하고 있다면, 모두들 체감은 안되지만 저절로 사용되고 있는 기본 필터를 알아보자 !

Spring Security Architecture

기본 구조
  • Spring Security는 애플리케이션의 보안에 핵심적인 "인증"과 "인가"를 Filter와 annotation을 사용해서 손쉽게 구현할 수 있도록 도와준다.

AuthenticationManager : 사용자 인증 관련 처리
AccessDecisionManager : 사용자가 보호받는 리소스에 접근할 수 있는 적절한 권한이 있는지 확인 

FilterChainProxy


Spring Security는 서블릿 필터 javax.servlet.Filter의 구현체로 동작한다.
@EnableWebSecurity 어노테이션과 함께 WebSecurityConfigurerAdapter 추상 클래스를 상속받아 구현함
웹 요청은 이러한 필터 체인을 차례로 통과하게 됨 보통 SpringSecurityFilterChain 이라는 이름으로 Bean 등록

 

필터 체인에 Custom Filter를 추가해서 쓰는 일도 많지만 기본적으로 설정하지 않아도 작동되는 많은 필터들에 대해 오늘 알아보려 한다.

 

스프링 공식 문서에서 안내하는 기본 필터는 아래와 같다.

영어 주의

 

Filter Ordering

The order that filters are defined in the chain is very important. Irrespective of which filters you are actually using, the order should be as follows:

  1. ChannelProcessingFilter, because it might need to redirect to a different protocol
  2. SecurityContextPersistenceFilter, so a SecurityContext can be set up in the SecurityContextHolder at the beginning of a web request, and any changes to the SecurityContext can be copied to the HttpSession when the web request ends (ready for use with the next web request)
  3. ConcurrentSessionFilter, because it uses the SecurityContextHolder functionality but needs to update the SessionRegistry to reflect ongoing requests from the principal
  4. Authentication processing mechanisms - UsernamePasswordAuthenticationFilter, CasAuthenticationFilter, BasicAuthenticationFilter etc - so that the SecurityContextHolder can be modified to contain a valid Authentication request token
  5. The SecurityContextHolderAwareRequestFilter, if you are using it to install a Spring Security aware HttpServletRequestWrapper into your servlet container
  6. RememberMeAuthenticationFilter, so that if no earlier authentication processing mechanism updated the SecurityContextHolder, and the request presents a cookie that enables remember-me services to take place, a suitable remembered Authentication object will be put there
  7. AnonymousAuthenticationFilter, so that if no earlier authentication processing mechanism updated the SecurityContextHolder, an anonymous Authentication object will be put there
  8. ExceptionTranslationFilter, to catch any Spring Security exceptions so that either an HTTP error response can be returned or an appropriate AuthenticationEntryPoint can be launched
  9. FilterSecurityInterceptor, to protect web URIs and raise exceptions when access is denied

 

물론 Spring Security의 `FilterOrderRegistration` 클래스를 보면 실제 spring security에서 사용하는 Filter Chain을 확인할 수 있다.

 

- FilterOrderRegistration에 등록된 필터 체인 - 코드로 보기

더보기 
FilterOrderRegistration() {
   Step order = new Step(INITIAL_ORDER, ORDER_STEP);
   put(ChannelProcessingFilter.class, order.next());
   order.next(); // gh-8105
   put(WebAsyncManagerIntegrationFilter.class, order.next());
   put(SecurityContextPersistenceFilter.class, order.next());
   put(HeaderWriterFilter.class, order.next());
   put(CorsFilter.class, order.next());
   put(CsrfFilter.class, order.next());
   put(LogoutFilter.class, order.next());
   this.filterToOrder.put(
         "org.springframework.security.oauth2.client.web.OAuth2AuthorizationRequestRedirectFilter",
         order.next());
   this.filterToOrder.put(
         "org.springframework.security.saml2.provider.service.servlet.filter.Saml2WebSsoAuthenticationRequestFilter",
         order.next());
   put(X509AuthenticationFilter.class, order.next());
   put(AbstractPreAuthenticatedProcessingFilter.class, order.next());
   this.filterToOrder.put("org.springframework.security.cas.web.CasAuthenticationFilter", order.next());
   this.filterToOrder.put("org.springframework.security.oauth2.client.web.OAuth2LoginAuthenticationFilter",
         order.next());
   this.filterToOrder.put(
         "org.springframework.security.saml2.provider.service.servlet.filter.Saml2WebSsoAuthenticationFilter",
         order.next());
   put(UsernamePasswordAuthenticationFilter.class, order.next());
   order.next(); // gh-8105
   this.filterToOrder.put("org.springframework.security.openid.OpenIDAuthenticationFilter", order.next());
   put(DefaultLoginPageGeneratingFilter.class, order.next());
   put(DefaultLogoutPageGeneratingFilter.class, order.next());
   put(ConcurrentSessionFilter.class, order.next());
   put(DigestAuthenticationFilter.class, order.next());
   this.filterToOrder.put(
         "org.springframework.security.oauth2.server.resource.web.BearerTokenAuthenticationFilter",
         order.next());
   put(BasicAuthenticationFilter.class, order.next());
   put(RequestCacheAwareFilter.class, order.next());
   put(SecurityContextHolderAwareRequestFilter.class, order.next());
   put(JaasApiIntegrationFilter.class, order.next());
   put(RememberMeAuthenticationFilter.class, order.next());
   put(AnonymousAuthenticationFilter.class, order.next());
   this.filterToOrder.put("org.springframework.security.oauth2.client.web.OAuth2AuthorizationCodeGrantFilter",
         order.next());
   put(SessionManagementFilter.class, order.next());
   put(ExceptionTranslationFilter.class, order.next());
   put(FilterSecurityInterceptor.class, order.next());
   put(AuthorizationFilter.class, order.next());
   put(SwitchUserFilter.class, order.next());
}

 

여튼 그렇다. 공식 문서에 나온 것부터 하나씩 알아보자

 

필터들

1. ChannelProcessingFilter 🔗

2. SecurityContextPersistenceFilter

3. ConcurrentSessionFilter

4. UsernamePasswordAuthenticationFilter

5. SecurityContextHolderAwareRequestFilter

6. RememberMeAuthenticationFilter

7. AnonymousAuthenticationFilter

8. ExceptionTranslationFilter

9. FilterSecurityInterceptor

 

 

참고

- https://docs.spring.io/spring-security/reference/index.html

- https://hanjo8813.github.io/til/42/

'Java Spring > Spring Security' 카테고리의 다른 글

[Big Picture] Spring Security  (0) 2023.06.21
[Spring-Security filter] 1. ChannelProcessingFilter  (0) 2023.04.14

+ Recent posts

티스토리툴바