When a user submits login details, Spring Security’s authentication filter intercepts the request and converts it into an Authentication object. This object is then passed to the AuthenticationManager.
The AuthenticationManager decides which authentication method to use (e.g., database authentication, OAuth, LDAP, or custom logic). It forwards the request to the appropriate AuthenticationProvider.
The AuthenticationProvider contains the logic for validating the user. It uses the UserDetailsService to load user information and the PasswordEncoder to verify the password. If authentication succeeds, it returns a fully authenticated Authentication object.
The authentication filter receives the result. If the credentials are valid, Spring Security stores the authentication object in the SecurityContext, which is maintained in the SecurityContextHolder. For every subsequent request, Spring Security checks this context (session or JWT token) to determine whether the user is already authenticated.
If the token or session is valid, the request proceeds; otherwise, the user is denied access.
Top comments (0)