2 min read

Spring Security (Series) - Overview #2

#spring #springsecurity #springboot

Take a step back and see the forest for the trees!


So, in the previous post we went straight into Spring Security's workings.

Now, let's take a step back. We're going to go through its architecture and understand the role of each component .

Spring Security Architecture


  1. Client sends a request.
  2. AuthenticationFilter intercepts the request and delegates the responsibility to the Authentication Manager using its authenticate method .

3.  The Authentication Manager iterates through the Authentication Providers defined in Spring's context. It first calls their supports(Class<?>):boolean method and if the result is true, goes on to call authenticate(Authentication): Authentication.


4.  The Authentication Provider will, in turn, make use of a UserDetailsService and a PasswordEncoder, to query the database for a user by username and match its password.


5.  If a user is found and the password matches, an Authentication object (containing details about the user) is returned by the AuthenticationProvider all to way to the AuthenticationFilter and then it is added in the SecurityContext:

protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
	try {
		Authentication authentication = attemptAuthentication(request, response);
            } catch (AuthenticationException ex) {
			// return a 401 HttpStatus response

In the next post, we'll create our own UserDetailsService which will integrate with a SQL database where we store the users and their passwords.

Find the full repository here:  https://github.com/andreiszu/spring-security

Don't miss out on more posts like this! Susbcribe to our free newsletter!
Currently I am working on a Java Interview e-book designed to successfully get you through any Java technical interview you may take.
Stay tuned! 🚀