Security Architecture 25.10
The webforJ security system is built on a foundation of interfaces and design patterns that enable flexible, extensible route protection. This section explains how the foundational security framework functions, and how to build custom security solutions by implementing these interfaces.
Most applications should use the Spring Security integration, as it auto-configures all of this for you. Only implement custom security if you have specific requirements or you're not using Spring Boot. The Spring integration is built on this same foundation architecture.
You'll learn about the core interfaces, the evaluator chain pattern, how navigation is intercepted and evaluated, and different approaches for storing authentication state.
These guides explain the foundational architecture and extension points, the interfaces you implement, and how they work together. Code examples show one possible approach, not prescriptive requirements. Your implementation can use different storage mechanisms (JWT, database, LDAP), different wiring patterns, or different authentication flows based on your needs.
What you'll learn
- Foundation architecture: The core interfaces that define security behavior and how they work together
- Navigation interception: How the security system intercepts navigation requests and evaluates access rules
- Evaluator chain pattern: How security rules are evaluated in priority order using the chain of responsibility pattern
- Authentication storage: Different approaches for storing user authentication state (sessions, JWT, database, etc.)
- Complete implementation: A working example showing all components wired together
Who this is for
These guides are for developers who want to:
- Build custom security implementations for non-Spring applications
- Understand the foundational architecture to troubleshoot issues
- Implement custom authentication flows or authorization logic
- Create security evaluators with domain-specific logic
- Integrate with existing authentication systems (LDAP, OAuth, custom backends)
Prerequisites
Before diving into these guides, you should:
- Complete the Getting Started guide to understand security concepts
- Understand security annotations from the Annotations guide
- Be familiar with the chain of responsibility design pattern
- Have experience with Java interfaces and inheritance
Topics
📄️ Foundational Architecture
The webforJ security system is built on a foundation of core interfaces that work together to provide route-level access control. These interfaces define the contracts for security behavior, allowing different implementations, whether session-based, based on JSON Web Tokens (JWT), LDAP-integrated, or database-backed, to plug into the same underlying framework.
📄️ Navigation Flow
Security enforcement in webforJ happens automatically during navigation. When a user clicks a link or navigates to a route, the security system intercepts the navigation, evaluates access rules, and either allows the navigation to proceed or redirects the user to an appropriate page. This interception is invisible to users and requires no manual security checks in your component code.
📄️ Evaluator Chain
The evaluator chain is the heart of webforJ's security system. It's a priority-ordered sequence of evaluators that examine routes and make access decisions using the chain of responsibility design pattern. Understanding how the chain works helps you create custom evaluators and troubleshoot unexpected access denials.
📄️ Custom Implementation Example
This guide walks through building a complete custom security implementation using session-based authentication. You'll learn how the four core interfaces work together by implementing them from scratch.