• Spring Security Tutorial

• What is Spring Security
• Spring Security Architecture
• Spring Security Basic Example
• Json Web Token
• JWT Authntication Example
• Oauth2 Introduction
• Oauth2 Basic Login

Spring Security Architecture

Spring Security Work flow

Authentication Filters:

The request before reaches the Dispatcher Servlet, it is first intercepted by a chain of filters. These filters are responsible for Spring Security. So any incoming request will go through these filters and it is here that authentication and authorization takes place. Based on the type of requests there are different Authentication Filters like the BasicAuthenticationFilter, UsernamePasswordAuthenticationFilter etc.

Authentication Object Creation:

When the request is intercepted by the appropriate AuthenticationFilter it retrieves the username and password from the request and creates the Authentication Object. If the extracted credentials are username and password, then UsernamePasswordAuthenticationToken is created.

Authenication Manager:

Authentication Manager is an interface with only one authenticate method, using the Authentication Object the filter will call the authenticate method of the AuthenticationManager. Actual implementation of the authenticate method is provided by the ProviderManager. Here, the Authentication Manager takes an Authentication object as input and after successful authentication again returns an object of type Authentication.

The ProviderManager has a list of AuthenticationProviders. From it's authenticate method it will call the authenticate method of the appropriate AuthenticateProvider. In response it gets the Principal Authentication Object if the authentication is successful.

AuthenticationProvider:

The AuthenicationProvider is an interface with a single authenticate method. It has various implementations like: CasAuthenticationProvider, DaoAuthenticationProvider, LdapAuthenticationProvider. Depending on the implementation, an appropriate AuthenicationProvider implementation will be is used. It is in the AuthenticationProvider Implementation authenticate method where all the actual authentication takes place.

Using the UserDetails service the AuthenticationProvider fetches the User Object corresponding to the username. It fetches this User Object from either a database, internal memory or other sources. This User object credentials are then compared with the incoming Authentication Object credentials. If Authentication is successful then the Principal Authentication Object is returned in response.

UserDetailsService:

The UserDetailsService is an interface having a single method named loadUserByUsername. It has various implementations InMomeryUserDetailsService, JDBCDaoImpl etc. Based on the implementation an appropriate UserDetailsService is called. It is responsible for fetching the User Object with username and password against which the incoming User Object will be compared

---