Table of contents
This page covers the following topics.
- Enable default Spring Security
- Spring Security filters
- Authentication providers
- Authentication manager
Enable default Spring Security
To allow Spring Security enabled for your project, add Spring Security to your project dependency.
<dependencies>
<!-- ... other dependency elements ... -->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
</dependencies>Now you run your spring application, the following snippet shows some of the output that indicates that Spring Security is enabled in your application:
$ ./mvnw spring-boot:run
...
INFO 23689 --- [ restartedMain] .s.s.UserDetailsServiceAutoConfiguration :
Using generated security password: 8e557245-73e2-4286-969a-ff57fe326336
...
Spring Security filters
Now Spring Security is running as a chain of filters in the Servlet Filter Chain, positioned before the DispatcherServlet.
Client Request
↓
Servlet Container (e.g. Tomcat - Embedded Servlet Container)
↓
Servlet Filter Chain
↓ ← Spring Security Filters (e.g., AuthenticationFilter, CsrfFilter)
↓
DispatcherServlet (Spring MVC core)
↓
Controller
In a Spring Boot (or Spring MVC) application, HTTP requests go through a filter chain before reaching the DispatcherServlet.
You can see the chain of filters by enabling the debug mode of the logger. In application.properties, add this line:
logging.level.org.springframework.security=DEBUGNow when you re-start your spring program, you will find the filter chain in the terminal output:
FilterChainProxy: Securing URL: /api/data
Security filter chain: [
WebAsyncManagerIntegrationFilter,
SecurityContextPersistenceFilter,
HeaderWriterFilter,
CsrfFilter,
LogoutFilter,
UsernamePasswordAuthenticationFilter,
DefaultLoginPageGeneratingFilter,
BasicAuthenticationFilter,
RequestCacheAwareFilter,
SecurityContextHolderAwareRequestFilter,
AnonymousAuthenticationFilter,
SessionManagementFilter,
ExceptionTranslationFilter,
FilterSecurityInterceptor
]
Spring Security uses basic username and password authentication by default. You can add filters in your security configuration class, and you can define your own filter.
Below are some common security filters provided by Spring Security. These filters are applied in a defined order.
| Filter | Responsibility |
|---|---|
UsernamePasswordAuthenticationFilter | Authenticates login requests with username/password |
BasicAuthenticationFilter | Authenticates using HTTP Basic Auth |
BearerTokenAuthenticationFilter | Authenticates using Bearer (JWT) tokens |
SecurityContextPersistenceFilter | Loads the SecurityContext at the start of the request and stores it at the end |
ExceptionTranslationFilter | Handles exceptions like access denied or authentication entry point |
AuthorizationFilter | Checks if the user has permission to access the resource |
CsrfFilter | Validates CSRF tokens (if enabled) |
HttpSecurity configuration
You configure filters via HttpSecurity. HttpSecurity is the main DSL (Domain Specific Language) in Spring Security used to configure:
- Authentication mechanisms
- Authorisation rules
- Session management
- CSRF protection
- OAuth2 / JWT configuration
- Custom filters
@Configuration
public class SecurityConfig {
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http
.authorizeHttpRequests(auth -> auth
.anyRequest().authenticated()
)
.formLogin(withDefaults())
.csrf(csrf -> csrf.disable());
return http.build();
}
}Here:
authorizeHttpRequests(...): Sets who can access whatformLogin(...): Enables form-based logincsrf(...): Disables CSRF protection
When you call http.build(), Spring Security creates a SecurityFilterChain bean based on your configuration. This chain is automatically inserted into the Servlet container (e.g. Tomcat).
Authentication providers
Unauthenticated Authentication Object
↓
Authentication Provider
↓
Authenticated Authentication Object
Authentications happen in security filters, such as:
UsernamePasswordAuthenticationFilter(form login)BearerTokenAuthenticationFilter(JWT)BasicAuthenticationFilter(HTTP Basic Auth)
Spring Security provides a range of authentication providers for different authentication schemes.
The AuthenticationProvider is an interface that has an authenticate() method which takes an unauthenticated authentication object, this object is passed from an AuthenticationManager:
public interface AuthenticationProvider {
Authentication authenticate(Authentication authentication) throws AuthenticationException;
boolean supports(Class<?> authentication);
}The supports() method returns true if this AuthenticationProvider supports the indicated Authentication object.
Below are some common implementations - the concrete authentication providers.
| AuthenticationProvider | What It’s For |
|---|---|
| DaoAuthenticationProvider | The most commonly used. Authenticates a username/password combination using a UserDetailsService. Loads the user from a database or another store. |
| LdapAuthenticationProvider | Authenticates against an LDAP server (e.g. Microsoft AD, OpenLDAP). Used in enterprise setups. |
| OAuth2LoginAuthenticationProvider | Used in OAuth2 login flows (e.g., Google, Facebook login). Handles the login process and retrieves user info from the provider. |
Authentication manager
Authentication Filter (e.g., UsernamePasswordAuthenticationFilter, BearerTokenAuthenticationFilter)
↓
AuthenticationManager
↓
AuthenticationProvider
Authentication manager acts as the entry point to perform authentication and delegates the actual authentication logic to one or more AuthenticationProvider (s) by calling the authenticate() methods on them.
The AuthenticationManager is an interface with a single method:
Authentication authenticate(Authentication authentication) throws AuthenticationException;When authentication is needed (e.g., user logs in, sends a token, or accesses a protected endpoint), Spring passes an Authentication object (not yet authenticated) to the AuthenticationManager, which is delegated to verify its credentials by the AuthenticationProviders.
If the authentication is successful, the AuthenticationManager returns an authenticated authentication object.
The default Spring Security implementation of AuthenticationManager is ProviderManager. The ProviderManager will:
- Loop through its list of AuthenticationProviders
- Find one that supports the given Authentication type (by calling the [[#authentication-providers|
supports()method]] on the authentication providers) - Call that provider’s
authenticate()method to perform the actual authentication
You can inject multiple AuthenticationProvider instances into ProviderManager. Each AuthenticationProvider performs a specific type of authentication. For example, DaoAuthenticationProvider supports username/password-based authentication, while JwtAuthenticationProvider supports authenticating a JWT token.
Example flow
In a form login (DaoAuthenticationProvider) setup:
- The
UsernamePasswordAuthenticationFilterextracts username/password from the request. - It wraps them in a
UsernamePasswordAuthenticationToken. (See Before authentication (input to AuthenticationManager)) - That token is passed to the
AuthenticationManager.authenticate(...). AuthenticationManagerforwards it toDaoAuthenticationProvider.- The DAO authentication provider uses a
UserDetailsServiceto load the user and verify the password. - If the verification is successful, an fully authenticated authentication object
UsernamePasswordAuthenticationTokenwill be return by the authentication manager and it is then stored in the SecurityContextHolder. This makes the authenticated user accessible throughout the application via the SecurityContextHolder. - The filter then continues the filter chain:
filterChain.doFilter(request, response);
Back to parent page: Spring and Spring Boot
Spring Spring_Security Security_Filter Authenticaton Authorisaton
Reference: