Spring Security

Architecture
Explained
In today's world of rapidly evolving cybersecurity threats, protecting your
application from unauthorized access is paramount.
Spring Security, a powerful and flexible framework, plays a critical role in
securing Spring Boot applications.
Whether you're dealing with traditional username/password authentication, JWT
tokens, or other custom mechanisms, Spring Security provides the necessary
tools to handle authentication and authorization seamlessly.
In this blog, we'll dive into the Spring Security architecture, exploring how
various components like the Security Filter Chain, AuthenticationManager,
and Authentication Providers work together to secure your application.
Diagram

POLL
How much do you know about Spring Security
Zero

Beginner

Mid Level

Advanced

Expert
 Amigoscode Newsletter is a reader-supported publication. To receive new
posts and support my work, consider becoming a free or paid subscriber.

Upgrade to paid

1. Client Request
•A user or client makes a request to the application, usually to access
a protected resource.
•This request is processed by a chain of Security Filters.
2. Security Filter Chain
•Security Filter A, B, ... N: These are different filters that apply to the
incoming request, where each filter can handle specific types of
security logic (like CORS, CSRF protection, and more).
•One of these filters is responsible for authenticating the user.
3. Authentication Flow
•UsernamePassword Authentication Token: This token represents the
user's credentials (username and password) and is passed to the
authentication logic.
•The authentication logic checks if the user credentials are valid. This
typically involves checking a database or other identity source.
4. AuthenticationManager / ProviderManager
•The AuthenticationManager or ProviderManager manages the overall
authentication process. It delegates the authentication request to
different Authentication Providers based on the type of authentication
required.
5. Authentication Providers
•JWTAuthentication Provider: If you're using JWT (JSON Web Token) for
authentication, this provider handles the verification of JWT tokens.
•DaoAuthentication Provider: This provider handles traditional
authentication using a database, checking user credentials against
stored data (e.g., in a relational database).
•Other Providers (Authentication Provider N): You can define multiple
custom authentication providers if your application supports multiple
methods of authentication (e.g., OAuth2, LDAP).
6. UserDetailsService
•The UserDetailsService is responsible for loading user-specific data,
typically by looking up the user’s details from a database (using
the DaoAuthenticationProvider).
•The PasswordEncoder ensures that passwords are securely encoded
(hashed) before they are compared during the authentication
process.
7. SecurityContext & JWT Authentication Filter
•If the user is successfully authenticated, the SecurityContext is
updated to store the user’s authentication status.
•The JWT Authentication Filter is responsible for handling JWT tokens,
ensuring that valid tokens allow access to protected resources.
8. Authentication Request/Response
•Once the authentication is performed by the filters and providers,
an Authentication Request is sent to the backend.
•After validation, an Authentication Response is returned, which could
contain the authentication token (such as a JWT), allowing the client
to access secure resources in subsequent requests.
9. SecurityContextHeader
•The SecurityContextHeader encapsulates important security
information like the user’s Principal (authenticated
user), Credentials (such as the password or token),
and Authorities (permissions or roles).
•These fields include:
•getAuthorities(): Fetches the roles or permissions granted
to the user.
•getPassword(), getUsername(): Standard user details.
•isAccountNonExpired(), isAccountNonLocked(), isCredential
sNonExpired(), isEnabled(): These are checks to ensure the
user account is in good standing (not expired, locked, etc.).

Whether you're just starting with Spring Security or optimizing an existing

system, mastering this architecture will empower you to deliver secure and
reliable applications. If you’re ready to take your application security to the
next level, implementing these concepts is a great place to start!
Bonus
21 Java Bean Annotations