Spring Security Architecture Deep Dive
Learn Spring Security Architecture from beginner to advanced level. Understand SecurityFilterChain, AuthenticationManager, AuthenticationProvider, UserDetailsService, SecurityContext, JWT Filters, Authorization Flow, and complete Spring Boot implementation.
Introduction
Many developers can configure Spring Security.
Very few developers understand how Spring Security works internally.
Common questions:
- What happens when a request reaches Spring Boot?
- How does Spring Security authenticate users?
- What is SecurityFilterChain?
- What is AuthenticationManager?
- What is AuthenticationProvider?
- What is UserDetailsService?
- How does JWT authentication work internally?
- Where are user roles stored?
This article answers all these questions.
Why Spring Security?
Without Spring Security:
flowchart LR
Client
--> Controller
--> Service
--> Database
Problems:
❌ No authentication
❌ No authorization
❌ No session management
❌ No password security
❌ No CSRF protection
With Spring Security:
flowchart LR
Client
--> SecurityFilters
--> Authentication
--> Authorization
--> Controller
--> Service
--> Database
Benefits:
✅ Authentication
✅ Authorization
✅ Password Hashing
✅ Session Management
✅ JWT Support
✅ OAuth2 Support
✅ CSRF Protection
High Level Spring Security Architecture
flowchart TB
Client["HTTP Request"]
--> FilterChain["SecurityFilterChain"]
FilterChain --> AuthenticationManager
AuthenticationManager --> AuthenticationProvider
AuthenticationProvider --> UserDetailsService
UserDetailsService --> Database
Database --> UserDetailsService
UserDetailsService --> AuthenticationProvider
AuthenticationProvider --> AuthenticationManager
AuthenticationManager --> SecurityContext
SecurityContext --> Controller
This diagram represents the core Spring Security flow.
Complete Request Flow
Imagine:
POST /login
Request arrives.
sequenceDiagram
participant Client
participant SecurityFilterChain
participant AuthenticationManager
participant AuthenticationProvider
participant UserDetailsService
participant Database
Client->>SecurityFilterChain: Login Request
SecurityFilterChain->>AuthenticationManager: Authenticate
AuthenticationManager->>AuthenticationProvider: Verify User
AuthenticationProvider->>UserDetailsService: Load User
UserDetailsService->>Database: Find User
Database-->>UserDetailsService: User Record
UserDetailsService-->>AuthenticationProvider: User Details
AuthenticationProvider-->>AuthenticationManager: Authenticated User
AuthenticationManager-->>SecurityFilterChain: Success
SecurityFilterChain-->>Client: Response
SecurityFilterChain
SecurityFilterChain is the heart of Spring Security.
Every HTTP request passes through it.
flowchart LR
Request
--> Filter1
--> Filter2
--> Filter3
--> Controller
Examples of filters:
- UsernamePasswordAuthenticationFilter
- BasicAuthenticationFilter
- JWTAuthenticationFilter
- CsrfFilter
- LogoutFilter
Security Filter Pipeline
flowchart TB
Request
--> SecurityContextFilter
--> AuthenticationFilter
--> AuthorizationFilter
--> ExceptionFilter
--> Controller
Each filter has a specific responsibility.
AuthenticationManager
AuthenticationManager is responsible for authentication.
Think of it as:
Authentication Coordinator
Diagram:
flowchart LR
AuthenticationManager
--> AuthenticationProvider1
AuthenticationManager
--> AuthenticationProvider2
AuthenticationManager
--> AuthenticationProvider3
Multiple authentication methods can be plugged in.
Example:
- Database Login
- LDAP Login
- OAuth2 Login
AuthenticationProvider
AuthenticationProvider performs actual authentication.
Responsibilities:
- Verify username
- Verify password
- Verify credentials
flowchart LR
Credentials
--> AuthenticationProvider
--> Valid
--> AuthenticatedUser
UserDetailsService
UserDetailsService loads user information.
Interface:
public interface UserDetailsService {
UserDetails loadUserByUsername(
String username);
}
Spring calls this automatically.
UserDetailsService Flow
flowchart LR
Username
--> UserDetailsService
--> Database
--> UserDetails
UserDetails Object
Contains:
Username
Password
Roles
Authorities
Enabled
Locked
Expired
Diagram:
classDiagram
class UserDetails {
+String username
+String password
+Collection authorities
+boolean enabled
}
Database Authentication Example
Entity:
@Entity
public class User {
@Id
private Long id;
private String username;
private String password;
private String role;
}
Repository:
@Repository
public interface UserRepository
extends JpaRepository<User, Long> {
Optional<User> findByUsername(
String username);
}
Custom UserDetailsService
@Service
@RequiredArgsConstructor
public class CustomUserDetailsService
implements UserDetailsService {
private final UserRepository repository;
@Override
public UserDetails loadUserByUsername(
String username) {
User user = repository
.findByUsername(username)
.orElseThrow();
return org.springframework.security
.core.userdetails.User
.builder()
.username(user.getUsername())
.password(user.getPassword())
.roles(user.getRole())
.build();
}
}
Authentication Object
Spring Security creates Authentication object.
Authentication authentication
Contains:
Username
Password
Authorities
Authentication Status
SecurityContext
After authentication succeeds:
Spring stores authenticated user in SecurityContext.
flowchart LR
Authentication
--> SecurityContext
--> CurrentUser
SecurityContextHolder
Access logged-in user:
Authentication auth =
SecurityContextHolder
.getContext()
.getAuthentication();
String username =
auth.getName();
Authorization Flow
After authentication:
Authorization begins.
flowchart TB
AuthenticatedUser
--> RoleCheck
RoleCheck
--> PermissionCheck
PermissionCheck
--> ResourceAccess
Role Based Access Control
flowchart LR
Admin
--> CreateUser
Admin
--> DeleteUser
User
--> ViewProfile
User
--> UpdateProfile
Security Configuration
@Configuration
@EnableWebSecurity
public class SecurityConfig {
@Bean
SecurityFilterChain securityFilterChain(
HttpSecurity http)
throws Exception {
http
.authorizeHttpRequests(auth -> auth
.requestMatchers("/admin/**")
.hasRole("ADMIN")
.requestMatchers("/user/**")
.hasRole("USER")
.anyRequest()
.authenticated()
)
.httpBasic();
return http.build();
}
}
JWT Authentication Architecture
Modern applications rarely use sessions.
Instead:
sequenceDiagram
participant Client
participant API
participant JWT
Client->>API: Login
API->>JWT: Generate Token
JWT-->>Client: JWT
Client->>API: Request + JWT
API->>JWT: Validate Token
JWT-->>API: Valid
API-->>Client: Response
JWT Filter Architecture
flowchart TB
Request
--> JWTFilter
JWTFilter
--> ValidateToken
ValidateToken
--> SecurityContext
SecurityContext
--> Controller
Method Level Security
Enable:
@EnableMethodSecurity
Example:
@PreAuthorize(
"hasRole('ADMIN')")
public void deleteUser() {
}
Flow:
flowchart LR
Request
--> Method
--> PreAuthorize
--> RoleCheck
--> Execute
Spring Security Components Summary
mindmap
root((Spring Security))
SecurityFilterChain
AuthenticationManager
AuthenticationProvider
UserDetailsService
UserDetails
Authentication
Authorization
SecurityContext
JWT
Method Security
Real World Banking Architecture
flowchart TB
Customer
--> API
API
--> JWTFilter
JWTFilter
--> SecurityContext
SecurityContext
--> AccountController
AccountController
--> Service
Service
--> Database
Every request passes through security before reaching business logic.
Common Interview Questions
What is SecurityFilterChain?
Main entry point for Spring Security request processing.
What is AuthenticationManager?
Coordinates authentication.
What is AuthenticationProvider?
Performs authentication.
What is UserDetailsService?
Loads user information.
What is SecurityContext?
Stores authenticated user information.
What is the difference between Authentication and Authorization?
Authentication verifies identity.
Authorization verifies permissions.
Key Takeaways
- Every request passes through SecurityFilterChain.
- AuthenticationManager coordinates authentication.
- AuthenticationProvider performs authentication.
- UserDetailsService loads user information.
- SecurityContext stores logged-in user details.
- Authorization occurs after authentication.
- JWT authentication uses filters instead of sessions.
- Spring Security is filter-based architecture.
Next Article
➡️ Secure Password Hashing with BCrypt