<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:dc="http://purl.org/dc/elements/1.1/">
  <channel>
    <title>DEV Community: sonali kumari shahi</title>
    <description>The latest articles on DEV Community by sonali kumari shahi (@sonalishahi).</description>
    <link>https://dev.to/sonalishahi</link>
    <image>
      <url>https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3961186%2F43a378a5-ae08-4c74-8d67-a9f3321ec4c8.jpeg</url>
      <title>DEV Community: sonali kumari shahi</title>
      <link>https://dev.to/sonalishahi</link>
    </image>
    <atom:link rel="self" type="application/rss+xml" href="https://dev.to/feed/sonalishahi"/>
    <language>en</language>
    <item>
      <title># Why Do We Use PasswordEncoder in Spring Security?</title>
      <dc:creator>sonali kumari shahi</dc:creator>
      <pubDate>Sun, 14 Jun 2026 08:13:30 +0000</pubDate>
      <link>https://dev.to/sonalishahi/-why-do-we-use-passwordencoder-in-spring-security-3klo</link>
      <guid>https://dev.to/sonalishahi/-why-do-we-use-passwordencoder-in-spring-security-3klo</guid>
      <description>&lt;p&gt;When I first started learning Spring Security, I had a simple question:&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;"If Spring Security can authenticate users using usernames and passwords, why do we need a PasswordEncoder?"&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;The answer lies in one important principle:&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Passwords should never be stored in plain text.&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Imagine if passwords were stored like this in the database:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;Username: sonali
Password: sonali123
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;If the database gets leaked, attackers can immediately see users' actual passwords.&lt;/p&gt;

&lt;p&gt;That's a huge security risk.&lt;/p&gt;

&lt;h2&gt;
  
  
  The Better Approach: Hashing Passwords
&lt;/h2&gt;

&lt;p&gt;Instead of storing the original password, Spring Security allows us to store an encoded version of it.&lt;/p&gt;

&lt;p&gt;For example:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;sonali123
↓
$2a$10$k9Y...
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Even if someone gains access to the database, they cannot easily determine the original password.&lt;/p&gt;




&lt;h2&gt;
  
  
  Enter PasswordEncoder
&lt;/h2&gt;

&lt;p&gt;Spring Security provides the &lt;code&gt;PasswordEncoder&lt;/code&gt; interface to handle password encoding and verification.&lt;/p&gt;

&lt;p&gt;A commonly used implementation is:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;&lt;code&gt;BCryptPasswordEncoder&lt;/code&gt;&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;To tell Spring Security to use BCrypt, we can define a bean like this:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight java"&gt;&lt;code&gt;&lt;span class="nd"&gt;@Bean&lt;/span&gt;
&lt;span class="kd"&gt;public&lt;/span&gt; &lt;span class="nc"&gt;PasswordEncoder&lt;/span&gt; &lt;span class="nf"&gt;passwordEncoder&lt;/span&gt;&lt;span class="o"&gt;()&lt;/span&gt; &lt;span class="o"&gt;{&lt;/span&gt;
    &lt;span class="k"&gt;return&lt;/span&gt; &lt;span class="k"&gt;new&lt;/span&gt; &lt;span class="nf"&gt;BCryptPasswordEncoder&lt;/span&gt;&lt;span class="o"&gt;();&lt;/span&gt;
&lt;span class="o"&gt;}&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;






&lt;h2&gt;
  
  
  Encoding a Password
&lt;/h2&gt;

&lt;p&gt;Before saving a user's password to the database, we encode it.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight java"&gt;&lt;code&gt;&lt;span class="nc"&gt;String&lt;/span&gt; &lt;span class="n"&gt;rawPassword&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="s"&gt;"sonali123"&lt;/span&gt;&lt;span class="o"&gt;;&lt;/span&gt;

&lt;span class="nc"&gt;String&lt;/span&gt; &lt;span class="n"&gt;encodedPassword&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="n"&gt;passwordEncoder&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="na"&gt;encode&lt;/span&gt;&lt;span class="o"&gt;(&lt;/span&gt;&lt;span class="n"&gt;rawPassword&lt;/span&gt;&lt;span class="o"&gt;);&lt;/span&gt;

&lt;span class="nc"&gt;System&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="na"&gt;out&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="na"&gt;println&lt;/span&gt;&lt;span class="o"&gt;(&lt;/span&gt;&lt;span class="n"&gt;encodedPassword&lt;/span&gt;&lt;span class="o"&gt;);&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;The output might look something like this:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;$2a$10$X3YwL...
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Interestingly, BCrypt generates a different encoded value each time, making it even more secure.&lt;/p&gt;




&lt;h2&gt;
  
  
  But How Does Login Work?
&lt;/h2&gt;

&lt;p&gt;A common question is:&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;"If the encoded value changes every time, how does Spring Security verify passwords during login?"&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;When a user logs in:&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;The user enters a password.&lt;/li&gt;
&lt;li&gt;Spring Security retrieves the encoded password from the database.&lt;/li&gt;
&lt;li&gt;
&lt;code&gt;PasswordEncoder.matches()&lt;/code&gt; is used to compare them securely.
&lt;/li&gt;
&lt;/ol&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight java"&gt;&lt;code&gt;&lt;span class="kt"&gt;boolean&lt;/span&gt; &lt;span class="n"&gt;isMatch&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="n"&gt;passwordEncoder&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="na"&gt;matches&lt;/span&gt;&lt;span class="o"&gt;(&lt;/span&gt;
        &lt;span class="s"&gt;"sonali123"&lt;/span&gt;&lt;span class="o"&gt;,&lt;/span&gt;
        &lt;span class="n"&gt;encodedPassword&lt;/span&gt;
&lt;span class="o"&gt;);&lt;/span&gt;

&lt;span class="nc"&gt;System&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="na"&gt;out&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="na"&gt;println&lt;/span&gt;&lt;span class="o"&gt;(&lt;/span&gt;&lt;span class="n"&gt;isMatch&lt;/span&gt;&lt;span class="o"&gt;);&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Output:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;true
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;






&lt;h2&gt;
  
  
  What Actually Happens During Authentication?
&lt;/h2&gt;



&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;User enters password
          ↓
Spring fetches encoded password from database
          ↓
PasswordEncoder.matches()
          ↓
Authentication Success / Failure
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;One thing that surprised me while learning Spring Security was that it never compares plain text passwords directly.&lt;/p&gt;

&lt;p&gt;Instead, it uses &lt;code&gt;PasswordEncoder&lt;/code&gt; to securely verify whether the entered password matches the encoded password stored in the database.&lt;/p&gt;




&lt;h2&gt;
  
  
  The Big Takeaway
&lt;/h2&gt;

&lt;p&gt;Using PasswordEncoder isn't just a Spring Security feature—it's a security best practice.&lt;/p&gt;

&lt;p&gt;As developers, we should never store passwords in plain text.&lt;/p&gt;

&lt;p&gt;Instead, we should always encode them before saving them to the database.&lt;/p&gt;

&lt;p&gt;Because protecting user data starts with protecting their passwords. 🔐&lt;/p&gt;

</description>
      <category>webdev</category>
      <category>java</category>
      <category>programming</category>
      <category>springsecurity</category>
    </item>
    <item>
      <title>10 Spring Security Configurations Every Beginner Should Know</title>
      <dc:creator>sonali kumari shahi</dc:creator>
      <pubDate>Wed, 10 Jun 2026 07:37:53 +0000</pubDate>
      <link>https://dev.to/sonalishahi/10-spring-security-configurations-i-keep-coming-back-to-56km</link>
      <guid>https://dev.to/sonalishahi/10-spring-security-configurations-i-keep-coming-back-to-56km</guid>
      <description>&lt;p&gt;While learning Spring Security, I found myself searching for the same configurations again and again.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Questions like:&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;&lt;p&gt;How do I make an endpoint public?&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;How do I restrict an API to admin users?&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;How do I disable CSRF for REST APIs?&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;How do I add a JWT filter?&lt;/p&gt;&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;So, I decided to create a small cheatsheet containing some of the Spring Security configurations I use most often while building projects.&lt;/p&gt;

&lt;p&gt;If you're getting started with Spring Security, I hope this saves you some time. &lt;/p&gt;

&lt;h2&gt;
  
  
  1. Allow Public Endpoints
&lt;/h2&gt;

&lt;p&gt;Use &lt;strong&gt;permitAll()&lt;/strong&gt; when an endpoint should be accessible without authentication.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight java"&gt;&lt;code&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="na"&gt;requestMatchers&lt;/span&gt;&lt;span class="o"&gt;(&lt;/span&gt;&lt;span class="s"&gt;"/login"&lt;/span&gt;&lt;span class="o"&gt;,&lt;/span&gt; &lt;span class="s"&gt;"/signup"&lt;/span&gt;&lt;span class="o"&gt;).&lt;/span&gt;&lt;span class="na"&gt;permitAll&lt;/span&gt;&lt;span class="o"&gt;()&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h2&gt;
  
  
  2. Require Authentication
&lt;/h2&gt;

&lt;p&gt;Use &lt;strong&gt;authenticated()&lt;/strong&gt; when users must log in before accessing an endpoint.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight java"&gt;&lt;code&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="na"&gt;anyRequest&lt;/span&gt;&lt;span class="o"&gt;().&lt;/span&gt;&lt;span class="na"&gt;authenticated&lt;/span&gt;&lt;span class="o"&gt;()&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h2&gt;
  
  
  3. Restrict Access Based on Roles
&lt;/h2&gt;

&lt;p&gt;Allow only ADMIN users to access specific APIs.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight java"&gt;&lt;code&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="na"&gt;requestMatchers&lt;/span&gt;&lt;span class="o"&gt;(&lt;/span&gt;&lt;span class="s"&gt;"/admin/**"&lt;/span&gt;&lt;span class="o"&gt;).&lt;/span&gt;&lt;span class="na"&gt;hasRole&lt;/span&gt;&lt;span class="o"&gt;(&lt;/span&gt;&lt;span class="s"&gt;"ADMIN"&lt;/span&gt;&lt;span class="o"&gt;)&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h2&gt;
  
  
  4. Allow Multiple Roles
&lt;/h2&gt;

&lt;p&gt;When more than one role should have access:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight java"&gt;&lt;code&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="na"&gt;requestMatchers&lt;/span&gt;&lt;span class="o"&gt;(&lt;/span&gt;&lt;span class="s"&gt;"/dashboard/**"&lt;/span&gt;&lt;span class="o"&gt;)&lt;/span&gt;
&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="na"&gt;hasAnyRole&lt;/span&gt;&lt;span class="o"&gt;(&lt;/span&gt;&lt;span class="s"&gt;"USER"&lt;/span&gt;&lt;span class="o"&gt;,&lt;/span&gt; &lt;span class="s"&gt;"ADMIN"&lt;/span&gt;&lt;span class="o"&gt;)&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h2&gt;
  
  
  5. Disable CSRF for REST APIs
&lt;/h2&gt;

&lt;p&gt;In stateless REST APIs, CSRF protection is often disabled.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight java"&gt;&lt;code&gt;&lt;span class="n"&gt;http&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="na"&gt;csrf&lt;/span&gt;&lt;span class="o"&gt;(&lt;/span&gt;&lt;span class="n"&gt;csrf&lt;/span&gt; &lt;span class="o"&gt;-&amp;gt;&lt;/span&gt; &lt;span class="n"&gt;csrf&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="na"&gt;disable&lt;/span&gt;&lt;span class="o"&gt;());&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h2&gt;
  
  
  6. Define a Password Encoder
&lt;/h2&gt;

&lt;p&gt;Never store passwords in plain text.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight java"&gt;&lt;code&gt;&lt;span class="nd"&gt;@Bean&lt;/span&gt;
&lt;span class="kd"&gt;public&lt;/span&gt; &lt;span class="nc"&gt;PasswordEncoder&lt;/span&gt; &lt;span class="nf"&gt;passwordEncoder&lt;/span&gt;&lt;span class="o"&gt;()&lt;/span&gt; &lt;span class="o"&gt;{&lt;/span&gt;
    &lt;span class="k"&gt;return&lt;/span&gt; &lt;span class="k"&gt;new&lt;/span&gt; &lt;span class="nf"&gt;BCryptPasswordEncoder&lt;/span&gt;&lt;span class="o"&gt;();&lt;/span&gt;
&lt;span class="o"&gt;}&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h2&gt;
  
  
  7. Enable HTTP Basic Authentication
&lt;/h2&gt;

&lt;p&gt;Useful while learning or testing APIs.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight java"&gt;&lt;code&gt;&lt;span class="n"&gt;http&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="na"&gt;httpBasic&lt;/span&gt;&lt;span class="o"&gt;(&lt;/span&gt;&lt;span class="nc"&gt;Customizer&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="na"&gt;withDefaults&lt;/span&gt;&lt;span class="o"&gt;());&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h2&gt;
  
  
  8. Use Stateless Sessions (JWT)
&lt;/h2&gt;

&lt;p&gt;When building JWT-based applications:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight java"&gt;&lt;code&gt;&lt;span class="n"&gt;http&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="na"&gt;sessionManagement&lt;/span&gt;&lt;span class="o"&gt;(&lt;/span&gt;&lt;span class="n"&gt;session&lt;/span&gt; &lt;span class="o"&gt;-&amp;gt;&lt;/span&gt;
    &lt;span class="n"&gt;session&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="na"&gt;sessionCreationPolicy&lt;/span&gt;&lt;span class="o"&gt;(&lt;/span&gt;&lt;span class="nc"&gt;SessionCreationPolicy&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="na"&gt;STATELESS&lt;/span&gt;&lt;span class="o"&gt;)&lt;/span&gt;
&lt;span class="o"&gt;);&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h2&gt;
  
  
  9. Add a Custom JWT Filter
&lt;/h2&gt;

&lt;p&gt;Register your JWT filter before Spring's authentication filter.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight java"&gt;&lt;code&gt;&lt;span class="n"&gt;http&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="na"&gt;addFilterBefore&lt;/span&gt;&lt;span class="o"&gt;(&lt;/span&gt;
    &lt;span class="n"&gt;jwtAuthFilter&lt;/span&gt;&lt;span class="o"&gt;,&lt;/span&gt;
    &lt;span class="nc"&gt;UsernamePasswordAuthenticationFilter&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="na"&gt;class&lt;/span&gt;
&lt;span class="o"&gt;);&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h2&gt;
  
  
  10. Get the Currently Logged-in User
&lt;/h2&gt;

&lt;p&gt;Access details of the authenticated user.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight java"&gt;&lt;code&gt;&lt;span class="nc"&gt;Authentication&lt;/span&gt; &lt;span class="n"&gt;authentication&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt;
    &lt;span class="nc"&gt;SecurityContextHolder&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="na"&gt;getContext&lt;/span&gt;&lt;span class="o"&gt;().&lt;/span&gt;&lt;span class="na"&gt;getAuthentication&lt;/span&gt;&lt;span class="o"&gt;();&lt;/span&gt;

&lt;span class="nc"&gt;String&lt;/span&gt; &lt;span class="n"&gt;username&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="n"&gt;authentication&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="na"&gt;getName&lt;/span&gt;&lt;span class="o"&gt;();&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h2&gt;
  
  
  Putting It All Together
&lt;/h2&gt;

&lt;p&gt;A beginner-friendly security configuration might look like this:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight java"&gt;&lt;code&gt;&lt;span class="nd"&gt;@Bean&lt;/span&gt;
&lt;span class="kd"&gt;public&lt;/span&gt; &lt;span class="nc"&gt;SecurityFilterChain&lt;/span&gt; &lt;span class="nf"&gt;securityFilterChain&lt;/span&gt;&lt;span class="o"&gt;(&lt;/span&gt;&lt;span class="nc"&gt;HttpSecurity&lt;/span&gt; &lt;span class="n"&gt;http&lt;/span&gt;&lt;span class="o"&gt;)&lt;/span&gt;
        &lt;span class="kd"&gt;throws&lt;/span&gt; &lt;span class="nc"&gt;Exception&lt;/span&gt; &lt;span class="o"&gt;{&lt;/span&gt;

    &lt;span class="n"&gt;http&lt;/span&gt;
        &lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="na"&gt;csrf&lt;/span&gt;&lt;span class="o"&gt;(&lt;/span&gt;&lt;span class="n"&gt;csrf&lt;/span&gt; &lt;span class="o"&gt;-&amp;gt;&lt;/span&gt; &lt;span class="n"&gt;csrf&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="na"&gt;disable&lt;/span&gt;&lt;span class="o"&gt;())&lt;/span&gt;

        &lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="na"&gt;authorizeHttpRequests&lt;/span&gt;&lt;span class="o"&gt;(&lt;/span&gt;&lt;span class="n"&gt;auth&lt;/span&gt; &lt;span class="o"&gt;-&amp;gt;&lt;/span&gt; &lt;span class="n"&gt;auth&lt;/span&gt;
            &lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="na"&gt;requestMatchers&lt;/span&gt;&lt;span class="o"&gt;(&lt;/span&gt;&lt;span class="s"&gt;"/login"&lt;/span&gt;&lt;span class="o"&gt;,&lt;/span&gt; &lt;span class="s"&gt;"/signup"&lt;/span&gt;&lt;span class="o"&gt;)&lt;/span&gt;
            &lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="na"&gt;permitAll&lt;/span&gt;&lt;span class="o"&gt;()&lt;/span&gt;

            &lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="na"&gt;requestMatchers&lt;/span&gt;&lt;span class="o"&gt;(&lt;/span&gt;&lt;span class="s"&gt;"/admin/**"&lt;/span&gt;&lt;span class="o"&gt;)&lt;/span&gt;
            &lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="na"&gt;hasRole&lt;/span&gt;&lt;span class="o"&gt;(&lt;/span&gt;&lt;span class="s"&gt;"ADMIN"&lt;/span&gt;&lt;span class="o"&gt;)&lt;/span&gt;

            &lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="na"&gt;anyRequest&lt;/span&gt;&lt;span class="o"&gt;()&lt;/span&gt;
            &lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="na"&gt;authenticated&lt;/span&gt;&lt;span class="o"&gt;()&lt;/span&gt;
        &lt;span class="o"&gt;)&lt;/span&gt;

        &lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="na"&gt;httpBasic&lt;/span&gt;&lt;span class="o"&gt;(&lt;/span&gt;&lt;span class="nc"&gt;Customizer&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="na"&gt;withDefaults&lt;/span&gt;&lt;span class="o"&gt;());&lt;/span&gt;

    &lt;span class="k"&gt;return&lt;/span&gt; &lt;span class="n"&gt;http&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="na"&gt;build&lt;/span&gt;&lt;span class="o"&gt;();&lt;/span&gt;
&lt;span class="o"&gt;}&lt;/span&gt;

&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h2&gt;
  
  
  Final Thoughts
&lt;/h2&gt;

&lt;p&gt;Spring Security can feel overwhelming at first because there are so many configurations to remember.&lt;/p&gt;

&lt;p&gt;The good news?&lt;/p&gt;

&lt;p&gt;You don't need to memorize everything.&lt;/p&gt;

&lt;p&gt;Over time, you'll notice that you keep using the same patterns again and again.&lt;/p&gt;

&lt;p&gt;I created this cheatsheet mainly for myself, but I hope it helps other developers who are starting their Spring Security journey as well.&lt;/p&gt;

&lt;p&gt;Which Spring Security configuration do you use most often? Let me know in the comments! 😊&lt;/p&gt;

</description>
      <category>java</category>
      <category>development</category>
      <category>backend</category>
      <category>springsecurity</category>
    </item>
    <item>
      <title>Security Filter Chain Explained: The Heart of Spring Security</title>
      <dc:creator>sonali kumari shahi</dc:creator>
      <pubDate>Fri, 05 Jun 2026 12:25:55 +0000</pubDate>
      <link>https://dev.to/sonalishahi/security-filter-chain-explained-the-heart-of-spring-security-18hh</link>
      <guid>https://dev.to/sonalishahi/security-filter-chain-explained-the-heart-of-spring-security-18hh</guid>
      <description>&lt;p&gt;After learning about Authentication and Authorization, I came across another important term in Spring Security:&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Security Filter Chain&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Almost every request in a Spring Security application passes through it.&lt;/p&gt;

&lt;p&gt;But what exactly is it, and why is it so important?&lt;/p&gt;

&lt;p&gt;Let's understand it with a simple example.&lt;/p&gt;

&lt;h2&gt;
  
  
  What is the Security Filter Chain?
&lt;/h2&gt;

&lt;p&gt;The Security Filter Chain is a collection of filters that process every incoming request before it reaches your controller.&lt;/p&gt;

&lt;p&gt;Client Request&lt;br&gt;
       ↓&lt;br&gt;
Security Filter Chain&lt;br&gt;
       ↓&lt;br&gt;
Controller&lt;br&gt;
       ↓&lt;br&gt;
Response&lt;/p&gt;

&lt;p&gt;Think of it as a security checkpoint.&lt;/p&gt;

&lt;p&gt;Before allowing a request to enter your application, Spring Security performs multiple checks.&lt;/p&gt;
&lt;h2&gt;
  
  
  Why Do We Need It?
&lt;/h2&gt;

&lt;p&gt;Imagine a shopping mall without security guards.&lt;br&gt;
Anyone could walk in and access restricted areas.&lt;br&gt;
Similarly, without security checks, anyone could access your APIs.&lt;/p&gt;

&lt;p&gt;The Security Filter Chain helps Spring Security:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;&lt;p&gt;Identify users&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;Verify credentials&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;Check permissions&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;Handle security-related exceptions&lt;/p&gt;&lt;/li&gt;
&lt;/ul&gt;
&lt;h2&gt;
  
  
  What Happens Inside the Filter Chain?
&lt;/h2&gt;

&lt;p&gt;When a request enters the application, multiple filters examine it one by one.&lt;/p&gt;

&lt;p&gt;For example:&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;Is the user authenticated?&lt;/li&gt;
&lt;li&gt;Does the request contain a valid JWT token?&lt;/li&gt;
&lt;li&gt;Does the user have the required role?&lt;/li&gt;
&lt;li&gt;Is access allowed for this endpoint?&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;Each filter has a specific responsibility.&lt;/p&gt;

&lt;p&gt;If any check fails, the request is stopped immediately.&lt;/p&gt;
&lt;h2&gt;
  
  
  A Simple Example
&lt;/h2&gt;

&lt;p&gt;&lt;strong&gt;Suppose a user tries to access:&lt;/strong&gt;&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight http"&gt;&lt;code&gt;&lt;span class="err"&gt;GET /api/customers
&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;The request first enters the Security Filter Chain.&lt;/p&gt;

&lt;p&gt;Request&lt;br&gt;
   ↓&lt;br&gt;
Filter 1: Authentication Check&lt;br&gt;
   ↓&lt;br&gt;
Filter 2: Authorization Check&lt;br&gt;
   ↓&lt;br&gt;
Controller&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;If authentication fails:&lt;/strong&gt;&lt;br&gt;
Request&lt;br&gt;
   ↓&lt;br&gt;
Authentication Failed ❌&lt;br&gt;
   ↓&lt;br&gt;
Access Denied&lt;/p&gt;

&lt;p&gt;The controller is never reached.&lt;/p&gt;
&lt;h2&gt;
  
  
  Defining a Security Filter Chain
&lt;/h2&gt;

&lt;p&gt;In modern Spring Security, we configure security using a SecurityFilterChain bean.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight java"&gt;&lt;code&gt;&lt;span class="nd"&gt;@Bean&lt;/span&gt; 
&lt;span class="kd"&gt;public&lt;/span&gt; &lt;span class="nc"&gt;SecurityFilterChain&lt;/span&gt; &lt;span class="nf"&gt;securityFilterChain&lt;/span&gt;&lt;span class="o"&gt;(&lt;/span&gt;&lt;span class="nc"&gt;HttpSecurity&lt;/span&gt; &lt;span class="n"&gt;http&lt;/span&gt;&lt;span class="o"&gt;)&lt;/span&gt; &lt;span class="kd"&gt;throws&lt;/span&gt; &lt;span class="nc"&gt;Exception&lt;/span&gt; &lt;span class="o"&gt;{&lt;/span&gt; 

&lt;span class="n"&gt;http&lt;/span&gt; 
     &lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="na"&gt;authorizeHttpRequests&lt;/span&gt;&lt;span class="o"&gt;(&lt;/span&gt;&lt;span class="n"&gt;auth&lt;/span&gt; &lt;span class="o"&gt;-&amp;gt;&lt;/span&gt; &lt;span class="n"&gt;auth&lt;/span&gt;
        &lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="na"&gt;requestMatchers&lt;/span&gt;&lt;span class="o"&gt;(&lt;/span&gt;&lt;span class="s"&gt;"/admin/**"&lt;/span&gt;&lt;span class="o"&gt;).&lt;/span&gt;&lt;span class="na"&gt;hasRole&lt;/span&gt;&lt;span class="o"&gt;(&lt;/span&gt;&lt;span class="s"&gt;"ADMIN"&lt;/span&gt;&lt;span class="o"&gt;)&lt;/span&gt;
        &lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="na"&gt;anyRequest&lt;/span&gt;&lt;span class="o"&gt;().&lt;/span&gt;&lt;span class="na"&gt;authenticated&lt;/span&gt;&lt;span class="o"&gt;()&lt;/span&gt; 
     &lt;span class="o"&gt;)&lt;/span&gt;
     &lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="na"&gt;formLogin&lt;/span&gt;&lt;span class="o"&gt;();&lt;/span&gt; 

  &lt;span class="k"&gt;return&lt;/span&gt; &lt;span class="n"&gt;http&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="na"&gt;build&lt;/span&gt;&lt;span class="o"&gt;();&lt;/span&gt; 
&lt;span class="o"&gt;}&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;In this configuration:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;&lt;p&gt;/admin/** can only be accessed by ADMIN users.&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;All other requests require authentication.&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;Spring automatically creates the required security filters.&lt;/p&gt;&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  What Happens Internally?
&lt;/h2&gt;

&lt;p&gt;When a request comes in:&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;The request enters the Security Filter Chain.&lt;/li&gt;
&lt;li&gt;Authentication filters verify the user.&lt;/li&gt;
&lt;li&gt;Authorization filters check permissions.&lt;/li&gt;
&lt;li&gt;If everything is valid, the request reaches the controller.&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;Client Request&lt;br&gt;
 ↓ &lt;br&gt;
Security Filter Chain&lt;br&gt;
 ↓ &lt;br&gt;
Authentication&lt;br&gt;
 ↓ &lt;br&gt;
Authorization &lt;br&gt;
↓&lt;br&gt;
 Controller &lt;br&gt;
↓ &lt;br&gt;
Response&lt;/p&gt;

&lt;h2&gt;
  
  
  Why Is It Important?
&lt;/h2&gt;

&lt;p&gt;One thing I found interesting is that Spring Security doesn't protect controllers directly.&lt;br&gt;
Instead, it protects the application by intercepting requests before they reach the controller.&lt;br&gt;
This is why even if your controller exists, unauthorized users cannot access it.&lt;br&gt;
The Security Filter Chain acts as the first line of defense.&lt;/p&gt;

&lt;h2&gt;
  
  
  The Big Takeaway
&lt;/h2&gt;

&lt;p&gt;The Security Filter Chain is the backbone of Spring Security.&lt;/p&gt;

&lt;p&gt;Whenever a request enters your application:&lt;/p&gt;

&lt;p&gt;✅ It passes through multiple security filters&lt;/p&gt;

&lt;p&gt;✅ Authentication is verified&lt;/p&gt;

&lt;p&gt;✅ Authorization is checked&lt;/p&gt;

&lt;p&gt;✅ Only valid requests reach the controller&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;A simple way to remember it is:&lt;/strong&gt;&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;The Security Filter Chain is the gatekeeper of your application.&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;Understanding this concept made many Spring Security features easier for me to understand, and I hope it helps you too. 🚀&lt;/p&gt;

</description>
      <category>java</category>
      <category>webdev</category>
      <category>beginners</category>
      <category>security</category>
    </item>
    <item>
      <title>Authentication vs Authorization: Understanding the Difference in Spring Security</title>
      <dc:creator>sonali kumari shahi</dc:creator>
      <pubDate>Wed, 03 Jun 2026 11:36:03 +0000</pubDate>
      <link>https://dev.to/sonalishahi/authentication-vs-authorization-understanding-the-difference-in-spring-security-4j4c</link>
      <guid>https://dev.to/sonalishahi/authentication-vs-authorization-understanding-the-difference-in-spring-security-4j4c</guid>
      <description>&lt;p&gt;When I started learning Spring Security, I kept seeing two terms everywhere:&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Authentication and Authorization&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;At first, they sounded almost the same to me.&lt;br&gt;
But as I learned more, I realized they answer two completely different questions.&lt;br&gt;
Understanding this difference is important because these concepts are at the heart of every secure application.&lt;br&gt;
Let's break them down in the simplest way possible.&lt;/p&gt;
&lt;h2&gt;
  
  
  Authentication: Who Are You?
&lt;/h2&gt;

&lt;p&gt;Authentication is the process of verifying a user's identity.&lt;br&gt;
In simple words, the application asks: &lt;strong&gt;"Who are you?"&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;For example, when you log in using your username and password:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;   Username: sonali
   Password: ********
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;&lt;strong&gt;The application checks whether these credentials are correct.&lt;/strong&gt;&lt;br&gt;
If they are correct, you are authenticated.&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;Think of it like entering a college campus.&lt;br&gt;
The security guard checks your ID card to confirm that you are actually a student.&lt;br&gt;
That's authentication.&lt;br&gt;
✅ Identity Verified&lt;/p&gt;
&lt;/blockquote&gt;

&lt;h2&gt;
  
  
  Authorization: What Are You Allowed To Do?
&lt;/h2&gt;

&lt;p&gt;After authentication, another question is asked: &lt;strong&gt;"What are you allowed to do?"&lt;/strong&gt;&lt;br&gt;
This is authorization.&lt;br&gt;
&lt;strong&gt;Even if two users are logged in, they may not have the same permissions.&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;For example:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Admin can manage users&lt;/li&gt;
&lt;li&gt;Employee can view data&lt;/li&gt;
&lt;li&gt;Customer can access only their own account&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;&lt;strong&gt;Authorization decides what resources a user can access.&lt;/strong&gt;&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;Using the same college example:&lt;br&gt;
The security guard verified your identity at the gate.&lt;br&gt;
But that doesn't mean you can enter every room on campus.&lt;br&gt;
Some rooms may be restricted to staff members only.&lt;br&gt;
That's authorization.&lt;br&gt;
✅ Permission Check&lt;/p&gt;
&lt;/blockquote&gt;

&lt;h2&gt;
  
  
  How Spring Security Uses Them
&lt;/h2&gt;

&lt;p&gt;&lt;strong&gt;Whenever a request enters a Spring Boot application:&lt;/strong&gt;&lt;br&gt;
Request&lt;br&gt;
   ↓&lt;br&gt;
Authentication&lt;br&gt;
   ↓&lt;br&gt;
Authorization&lt;br&gt;
   ↓&lt;br&gt;
Controller&lt;/p&gt;

&lt;p&gt;First, Spring Security verifies the user.&lt;br&gt;
Then it checks whether the user has permission to access the requested resource.&lt;br&gt;
Only after both checks pass does the request reach the controller.&lt;/p&gt;

&lt;h2&gt;
  
  
  The Big Takeaway
&lt;/h2&gt;

&lt;p&gt;Authentication and Authorization work together, but they solve different problems.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Authentication confirms your identity.&lt;/strong&gt;&lt;br&gt;
&lt;strong&gt;Authorization determines your permissions.&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;A simple way to remember:&lt;br&gt;
Authentication = Who are you?&lt;br&gt;
Authorization = What can you do?&lt;/p&gt;

&lt;p&gt;Once I understood this difference, many Spring Security concepts became much easier to understand. I hope this explanation helps you too.&lt;/p&gt;

</description>
      <category>java</category>
      <category>springboot</category>
      <category>springsecurity</category>
      <category>backend</category>
    </item>
    <item>
      <title>What Happens Before Your API Receives a Request in Spring Security?</title>
      <dc:creator>sonali kumari shahi</dc:creator>
      <pubDate>Tue, 02 Jun 2026 11:22:32 +0000</pubDate>
      <link>https://dev.to/sonalishahi/what-happens-before-your-api-receives-a-request-in-spring-security-2lmc</link>
      <guid>https://dev.to/sonalishahi/what-happens-before-your-api-receives-a-request-in-spring-security-2lmc</guid>
      <description>&lt;p&gt;When I first added Spring Security to my Spring Boot project, something surprising happened.&lt;br&gt;
All my APIs were suddenly protected, and I could no longer access them without authentication.&lt;br&gt;
At first, it felt like magic. 😄&lt;/p&gt;

&lt;p&gt;But then I wondered:&lt;/p&gt;
&lt;h2&gt;
  
  
  What actually happens when a request enters a Spring Security application?
&lt;/h2&gt;

&lt;p&gt;In this blog, we'll follow the complete journey of a request and understand how Spring Security protects our application behind the scenes.&lt;/p&gt;
&lt;h2&gt;
  
  
  A Request's Journey Through Spring Security
&lt;/h2&gt;

&lt;p&gt;Let's say a user sends a request to access:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight http"&gt;&lt;code&gt;&lt;span class="err"&gt;GET /api/customers
&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;You might think the request goes directly to the controller.&lt;br&gt;
But that's not true.&lt;br&gt;
Before your controller sees the request, Spring Security steps in and starts asking a few important questions.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;First Question: "Who Are You?"&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;The request arrives at Spring Security's filter chain.&lt;/p&gt;

&lt;p&gt;At this point, Spring Security tries to identify the user.&lt;/p&gt;

&lt;p&gt;It looks for credentials such as:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;&lt;p&gt;Username and Password&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;JWT Token&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;OAuth Credentials&lt;/p&gt;&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;If no credentials are found, Spring Security stops the request right there.&lt;/p&gt;

&lt;p&gt;The controller never gets a chance to handle it.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Second Question: "Are These Credentials Valid?"&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;If credentials are present, Spring Security verifies them.&lt;/p&gt;

&lt;p&gt;For example:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;&lt;p&gt;Is the username correct?&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;Does the password match?&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;Is the JWT token valid and not expired?&lt;/p&gt;&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;If the verification fails, the request is rejected.&lt;/p&gt;

&lt;p&gt;Only valid users can move to the next stage.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Third Question: "What Are You Allowed To Access?"&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Now Spring Security knows who the user is.&lt;/p&gt;

&lt;p&gt;But being authenticated doesn't automatically mean you can access everything.&lt;/p&gt;

&lt;p&gt;Suppose a user tries to access an admin endpoint:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;/admin/users
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Spring Security checks the user's roles and permissions.&lt;/p&gt;

&lt;p&gt;If the user has the required authority, the request moves forward.&lt;/p&gt;

&lt;p&gt;Otherwise, access is denied.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Finally, The Request Reaches The Controller&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Only after passing all security checks does the request reach your controller.&lt;/p&gt;

&lt;p&gt;Request&lt;br&gt;
   ↓&lt;br&gt;
Spring Security&lt;br&gt;
   ↓&lt;br&gt;
Authentication&lt;br&gt;
   ↓&lt;br&gt;
Authorization&lt;br&gt;
   ↓&lt;br&gt;
Controller&lt;/p&gt;

&lt;p&gt;At this point, your business logic starts executing and a response is generated.&lt;/p&gt;

&lt;h2&gt;
  
  
  The Big Takeaway
&lt;/h2&gt;

&lt;p&gt;One thing that surprised me while learning Spring Security was that the controller is actually the last stop in the journey.&lt;/p&gt;

&lt;p&gt;Before a request reaches your API, Spring Security has already:&lt;/p&gt;

&lt;p&gt;✅ Identified the user&lt;/p&gt;

&lt;p&gt;✅ Verified the credentials&lt;/p&gt;

&lt;p&gt;✅ Checked permissions&lt;/p&gt;

&lt;p&gt;✅ Decided whether the request should be allowed&lt;/p&gt;

&lt;p&gt;That's why Spring Security is such an important part of modern backend applications.&lt;/p&gt;

&lt;p&gt;It acts as a protective layer between users and your business logic, making sure only the right people can access the right resources.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;What Spring Security topic would you like to see next?&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;🔹 Authentication vs Authorization&lt;br&gt;
🔹 Security Filter Chain&lt;br&gt;
🔹 JWT Authentication&lt;br&gt;
🔹 UserDetailsService&lt;/p&gt;

&lt;p&gt;Let me know in the comments! 🚀&lt;/p&gt;

</description>
      <category>springboot</category>
      <category>backend</category>
      <category>java</category>
      <category>springsecurity</category>
    </item>
  </channel>
</rss>
