Deep Dive into Spring Security Authentication Process and Core Components

Introduction

In enterprise‑level projects, the two most popular authentication and authorization frameworks are Spring Security and Shiro. Spring Security offers richer functionality and a larger community, but its learning curve is steeper, making it the preferred choice for medium to large projects, while Shiro is often used in smaller applications.

What is Spring Security?

“Spring Security is a framework that focuses on providing both authentication and authorization to Java applications. Like all Spring projects, the real power of Spring Security is found in how easily it can be extended to meet custom requirements.”

Spring Security provides two core capabilities: authentication (verifying user identity) and authorization (checking access rights).

Core Filters

Spring Security implements authentication through a chain of filters. The default DefaultSecurityFilterChain is created at startup and contains filters such as SecurityContextPersistenceFilter, UsernamePasswordAuthenticationFilter, AnonymousAuthenticationFilter, and ExceptionTranslationFilter. These filters intercept requests and responses, establishing the security context and handling authentication exceptions.

Core Components

SecurityContextHolder : static holder for the SecurityContext , which stores the current Authentication object.

SecurityContext : container that holds the Authentication instance.

Authentication : interface representing the authentication token (e.g., UsernamePasswordAuthenticationToken ).

AuthenticationManager : orchestrates authentication by delegating to a list of AuthenticationProvider implementations.

Typical usage:

Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
SecurityUserDetails userDetails = (SecurityUserDetails) authentication.getPrincipal();

The SecurityContextHolder can store the context in three modes: MODE_THREADLOCAL, MODE_INHERITABLETHREADLOCAL, and MODE_GLOBAL, depending on threading requirements.

Authentication Flow

The user submits credentials; UsernamePasswordAuthenticationFilter creates a UsernamePasswordAuthenticationToken and passes it to the AuthenticationManager .

The AuthenticationManager (usually a ProviderManager ) iterates over configured AuthenticationProvider s. The first provider that supports the token type (commonly DaoAuthenticationProvider ) performs the actual verification.

DaoAuthenticationProvider retrieves user details via a UserDetailsService , checks account status, and validates the password using a PasswordEncoder .

On successful verification, an authenticated UsernamePasswordAuthenticationToken is returned and stored in the SecurityContextHolder . On failure, an AuthenticationException is propagated.

Key Provider Interfaces

AuthenticationProvider

defines two methods: Authentication authenticate(Authentication authentication) and boolean supports(Class<?> authentication). Implementations such as DaoAuthenticationProvider encapsulate the concrete authentication logic.

Custom authentication scenarios (e.g., SMS code, third‑party OAuth) are realized by providing custom AuthenticationProvider implementations.

Summary

The article dissects Spring Security’s authentication pipeline, from the filter chain to the low‑level provider mechanisms, offering code snippets and diagrams to help developers understand and troubleshoot the framework’s security flow.