Security Filter Chain
Mọi request đều đi qua filter chain trước khi đến Controller:
Request → SecurityFilterChain → Authentication → Authorization → Controller
↓
CorsFilter
↓
CsrfFilter
↓
AuthenticationFilter (JWT/Session)
↓
AuthorizationFilter (Role check)
Cấu hình Security
@Configuration
@EnableWebSecurity
public class SecurityConfig {
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
return http
.csrf(csrf -> csrf.disable())
.sessionManagement(session ->
session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
.authorizeHttpRequests(auth -> auth
.requestMatchers("/api/auth/**").permitAll()
.requestMatchers("/api/admin/**").hasRole("ADMIN")
.anyRequest().authenticated())
.addFilterBefore(jwtFilter, UsernamePasswordAuthenticationFilter.class)
.build();
}
}
JWT Authentication Flow
1. POST /api/auth/login { email, password }
2. Server validates → generates JWT token
3. Client stores token
4. Subsequent requests: Authorization: Bearer <token>
5. JwtFilter extracts + validates token per request
Key insight: Spring Security hoạt động bằng filter chain, không phải annotation magic. Hiểu thứ tự filters = hiểu cách security hoạt động.