1. Do you need to use Spring in your Servlet-based application to take advantage of Spring Security ?
No.
2. How does Spring Security integrate with the Servlet Container?
Spring Security integrates with the Servlet Container by using a standard Servlet Filter.
3. Does Spring Security work with any application that runs in a Servlet Container?
Yes.
4. Spring Boot adds any Filter bean to the application filter chain.
5. Types of Servlet Container?
Apache Tomcat, Jetty, IBM WebSphere.
6. Spring Boot Security Auto Configuration?
- Adds @EnableWebSecurity
- Creates a @Bean UserDetailsService
- Creates a @Bean AuthenticationEventPublisher
7. DelegatingFilterProxy
You can register “DelegatingFilterProxy” through the standard Servlet container mechanism but delegate all the work to a Spring Bean that implements “Filter”.
8. FilterChainProxy
FilterChainProxy is a special Filter provided by Spring Security that allows delegating to many Filter instances through SecurityFilterChain.
9. SecurityFilterChain is used by FilterChainProxy to determine which Spring Security Filter instances should be invoked for the current request.
10. How are Filter instances invoked in a Servlet container?
In a Servlet container, Filter instances are invoked based upon the URL alone.
11. FilterChainProxy can determine invocation based upon anything in the HttpServletRequest by using RequestMatcher interface.
12. There could be multiple SecurityFilterChain from which FilterChainProxy could choose.
13. How can you see the order of Filters
By using FilterOrderRegistration you can see the order.
14. HttpSecurity can register Security Filters and build a SecurityFilterChain.
15. The list of filters is printed at INFO level on the application startup.
16. Instead of implementing Filter interface, you can extend from OncePerRequestFilter.
17. How to add a custom Filter to the chain?
- Implement Filter interface of extend OncePerRequestFilter class
- Add it to the chain with HttpSecurity.addFilter*() methods.