Spring Security (Series) - Overview #2

Take a step back and see the forest for the trees!

Brief

So, in the previous post we went straight into Spring Security's workings.

Now, let's take a step back. We're going to go through its architecture and understand the role of each component .

Implementation

1. Client sends a request.
2. AuthenticationFilter intercepts the request and delegates the responsibility to the Authentication Manager using its authenticate method .

3.  The Authentication Manager iterates through the Authentication Providers defined in Spring's context. It first calls their supports(Class<?>):boolean method and if the result is true, goes on to call authenticate(Authentication): Authentication.

4.  The Authentication Provider will, in turn, make use of a UserDetailsService and a PasswordEncoder, to query the database for a user by username and match its password.

5.  If a user is found and the password matches, an Authentication object (containing details about the user) is returned by the AuthenticationProvider all to way to the AuthenticationFilter and then it is added in the SecurityContext:

@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
	try {
		Authentication authentication = attemptAuthentication(request, response);
        	SecurityContext.getContext().setAuthentication(authentication);
            } catch (AuthenticationException ex) {
			// return a 401 HttpStatus response
            }
}

In the next post, we'll create our own UserDetailsService which will integrate with a SQL database where we store the users and their passwords.

Find the full repository here:  https://github.com/andreiszu/spring-security