DEV Community

Md Shahriar
Md Shahriar

Posted on

Understanding the Spring Security Architecture

Securing applications the proper way has never been more crucial. While there are many options to secure yours. Let me walk you through the Spring Security architecture to help you understand why this could be your go-to framework.

A Look at the components involved

At first, the client sends the HTTP request to the server, which must go through a filter chain called the Security Filter Chain. The filter chain has multiple layers, but we'll focus on just the UsernamePasswordAuthenticationFilter (which is part of the chain). Spring Security's default setting is to use a login form where you'll get a randomly generated password on your terminal, which you need to use to log in.

After you provide your credentials, UsernamePasswordAuthenticationToken is generated with the username and password. This token is passed on to the AuthenticationManager (which is responsible for managing the authentication). It is then passed to one of it's AuthenticationProviders beans(DaoAuthenticationProvider is widely used). The provider handles the authentication logic by verifying the user credentials against a database.

Authentication logic can be complex and requires a class to help fetch user details stored in the database. For that, UserDetailsService is used, which implements the UserDetails interface to load the data.

When the UsernamePasswordAuthenticationToken is validated, it is populated with additional data (for example, the user's granted authorities) and returned to the AuthenticationManager, which then places it in the SecurityContext, wrapped around the SecurityContextHolder. If the application is session-based, the SecurityContext is stored in the HTTP session.

When the client logs out, the authentication object is cleared from the SecurityContextHolder.

Point to be Noted:

When the session is stateless (for example, when using JWT tokens), the security measures are handled differently. Most of the authentication process is similar except the fact that stateless authentication doesn't rely on server side sessions.

Sentry blog image

How I fixed 20 seconds of lag for every user in just 20 minutes.

Our AI agent was running 10-20 seconds slower than it should, impacting both our own developers and our early adopters. See how I used Sentry Profiling to fix it in record time.

Read more

Top comments (0)

A Workflow Copilot. Tailored to You.

Pieces.app image

Our desktop app, with its intelligent copilot, streamlines coding by generating snippets, extracting code from screenshots, and accelerating problem-solving.

Read the docs

πŸ‘‹ Kindness is contagious

Dive into an ocean of knowledge with this thought-provoking post, revered deeply within the supportive DEV Community. Developers of all levels are welcome to join and enhance our collective intelligence.

Saying a simple "thank you" can brighten someone's day. Share your gratitude in the comments below!

On DEV, sharing ideas eases our path and fortifies our community connections. Found this helpful? Sending a quick thanks to the author can be profoundly valued.

Okay