Deep Dive into Spring Security Architecture and Implementation Principles
This article provides an in‑depth analysis of Spring Security 6.x architecture, explaining its filter‑chain design, authentication and authorization mechanisms, key components such as DelegatingFilterProxy, FilterChainProxy, SecurityFilterChain, and offers code examples and practical guidance for developers.
Spring Security is a powerful, highly customizable authentication and access‑control framework for Java web applications.
The core idea is to place security checks in a filter that runs before the controller, implemented as a chain of Filter objects.
Key components include DelegatingFilterProxy (bridges the servlet container and Spring), FilterChainProxy (selects a matching SecurityFilterChain based on request patterns), and the individual security filters such as CsrfFilter , UsernamePasswordAuthenticationFilter , and AuthorizationFilter .
public class SimpleSecurityFilter extends HttpFilter {
@Override
protected void doFilter(HttpServletRequest request,
HttpServletResponse response,
FilterChain chain) throws IOException, ServletException {
UsernamePasswordToken token = extractUsernameAndPasswordFrom(request); // (1)
if (notAuthenticated(token)) { // (2)
response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
return;
}
if (notAuthorized(token, request)) { // (3)
response.setStatus(HttpServletResponse.SC_FORBIDDEN);
return;
}
chain.doFilter(request, response); // (4)
}
}The authentication process is driven by AuthenticationManager (usually a ProviderManager ) which delegates to one or more AuthenticationProvider implementations such as DaoAuthenticationProvider for username/password checks.
public interface AuthenticationManager {
Authentication authenticate(Authentication authentication) throws AuthenticationException;
}During a login request, UsernamePasswordAuthenticationFilter extracts credentials, creates an unauthenticated UsernamePasswordAuthenticationToken , and passes it to the manager.
public Authentication attemptAuthentication(HttpServletRequest request,
HttpServletResponse response) throws AuthenticationException {
if (this.postOnly && !request.getMethod().equals("POST")) {
throw new AuthenticationServiceException("Authentication method not supported: " + request.getMethod());
}
String username = obtainUsername(request);
String password = obtainPassword(request);
UsernamePasswordAuthenticationToken authRequest =
UsernamePasswordAuthenticationToken.unauthenticated(username, password);
setDetails(request, authRequest);
return this.getAuthenticationManager().authenticate(authRequest);
}After successful authentication, the resulting Authentication object is stored in the SecurityContext and later used by the AuthorizationFilter to enforce access rules defined via the DSL (e.g., .requestMatchers("/admin").hasAuthority("ROLE_ADMIN") ).
public void doFilter(ServletRequest servletRequest,
ServletResponse servletResponse,
FilterChain chain) throws ServletException, IOException {
AuthorizationDecision decision = this.authorizationManager.check(this::getAuthentication, request);
if (decision != null && !decision.isGranted()) {
throw new AccessDeniedException("Access Denied");
}
chain.doFilter(request, response);
}The framework is highly extensible: developers can replace UserDetailsService , PasswordEncoder , or provide custom AuthenticationProvider and AuthorizationManager implementations to fit specific requirements.
Top Architect
Top Architect focuses on sharing practical architecture knowledge, covering enterprise, system, website, large‑scale distributed, and high‑availability architectures, plus architecture adjustments using internet technologies. We welcome idea‑driven, sharing‑oriented architects to exchange and learn together.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.