Security Architecture 25.10

Open in ChatGPT

The webforJ security system is built on a foundation of interfaces and design patterns that enable flexible, extensible route protection. This section explains how the foundational security framework functions, and how to build custom security solutions by implementing these interfaces.

Integrating with Spring

Most applications should use the Spring Security integration, as it auto-configures all of this for you. Only implement custom security if you have specific requirements or you're not using Spring Boot. The Spring integration is built on this same foundation architecture.

You'll learn about the core interfaces, the evaluator chain pattern, how navigation is intercepted and evaluated, and different approaches for storing authentication state.

Focus on architecture and extension points

These guides explain the foundational architecture and extension points, the interfaces you implement, and how they work together. Code examples show one possible approach, not prescriptive requirements. Your implementation can use different storage mechanisms (JWT, database, LDAP), different wiring patterns, or different authentication flows based on your needs.

What you'll learn

• Foundation architecture: The core interfaces that define security behavior and how they work together
• Navigation interception: How the security system intercepts navigation requests and evaluates access rules
• Evaluator chain pattern: How security rules are evaluated in priority order using the chain of responsibility pattern
• Authentication storage: Different approaches for storing user authentication state (sessions, JWT, database, etc.)
• Complete implementation: A working example showing all components wired together

Who this is for

These guides are for developers who want to:

• Build custom security implementations for non-Spring applications
• Understand the foundational architecture to troubleshoot issues
• Implement custom authentication flows or authorization logic
• Create security evaluators with domain-specific logic
• Integrate with existing authentication systems (LDAP, OAuth, custom backends)

Prerequisites

Before diving into these guides, you should:

• Complete the Getting Started guide to understand security concepts
• Understand security annotations from the Annotations guide
• Be familiar with the chain of responsibility design pattern
• Have experience with Java interfaces and inheritance

Topics

📄️ Foundational Architecture

Understand the core RouteSecurityManager, Context, Configuration, and Evaluator interfaces that power webforJ access control.

📄️ Navigation Flow

Trace how RouteSecurityObserver intercepts navigation, runs evaluators, and redirects users before any view renders.

📄️ Evaluator Chain

Evaluate route access through a priority-ordered chain of evaluators using the chain of responsibility pattern.

📄️ Custom Implementation Example

Build a session-based security stack by implementing SecurityConfiguration, SecurityContext, SecurityManager, and SecurityRegistrar.