The latest articles on Forem by esteban389 (@esteban389). https://forem.com/esteban389 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F2955113%2F3f9a16f7-c856-4fe6-a162-0a648686f085.png https://forem.com/esteban389 en esteban389 Wed, 19 Mar 2025 01:53:51 +0000 https://forem.com/esteban389/demystifying-authentication-in-spring-security-57oj https://forem.com/esteban389/demystifying-authentication-in-spring-security-57oj <p>Authentication is one of the most fundamental features in modern applications—whether you’re logging into a website, accessing an API, or even verifying a one-time password. If you’re working within the Spring ecosystem, you’ve probably heard of Spring Security, the go-to framework for handling authentication and security.</p> <p>But let’s be honest… Spring Security can feel overwhelming! 🌀 Between authentication providers, user details, and authentication managers, it’s easy to get lost. If you've ever found yourself wondering "Where does my password even get checked?"—you're not alone!</p> <p>In this article, I’ll break down authentication in Spring Security into simple, easy-to-follow steps. We’ll compare a basic authentication flow (like checking a username and password) with how Spring Security handles each step under the hood. By the end, you'll have a clear understanding of what’s happening behind the scenes. 🚀​</p> <p>Let’s dive in! 🔍​</p> <h2> Understanding Basic Authentication </h2> <p>Before we jump into how Spring Security handles authentication, let’s talk about why we need authentication in the first place. In most applications, you want to control access to certain features or data. That means you need a way to confirm that users are who they say they are. That’s exactly what authentication does!</p> <blockquote> <p>In a computer system, authentication (“auth” for short) is the process that verifies that a user is who they claim to be. <a href="https://www.ibm.com/think/topics/authentication" rel="noopener noreferrer">IBM What is Authentication?</a> | IBM​</p> </blockquote> <p>Although web applications can be quite different from each other, the authentication flow is often very similar. A single, generalized flow might cover the vast majority of use cases. Here’s a diagram of a common authentication flow:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fcgalqfpkhz1esducey85.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fcgalqfpkhz1esducey85.png" alt="Common authentication flow diagram" width="800" height="1198"></a><br> Let’s break it down step by step. 🏃‍♂️💨​</p> <h3> Visiting the server </h3> <p>It all starts when a user visits your site or makes an initial request to your server. In some cases, the server may include a CSRF token in its response, depending on your security needs (these are steps 1 and 1.1 in the diagram).</p> <p>Think of the CSRF token as a little “secret handshake” 🤝 that helps protect against certain security attacks.</p> <h3> Request an Authenticated Resource </h3> <p>Next, the user attempts to access a resource that requires authentication—for example, a page or an API endpoint that only logged-in users should see. The server then responds with a prompt for credentials, asking the user to prove they’re really who they claim to be.</p> <ul> <li>Commonly, these credentials are:</li> <li>Username and password</li> <li>Email (for sending a magic link)</li> <li>WebAuthn credentials (hardware security keys, etc.)</li> <li>Or any other unique proof of identity.</li> </ul> <p>This is all covered in steps 2 to 4 in the diagram. 🛂​</p> <h3> Search user </h3> <p>When the user’s credentials arrive at the server, the next step is to look them up in the database (or another storage system).<br> If the user doesn’t exist, the server immediately returns an error (steps 5 to 7.1).</p> <p>If the user is found, we move on to the final phase: checking the validity of their credentials.</p> <h3> Authenticate </h3> <p>At this point, the server validates the credentials. The exact process depends on your chosen authentication method:</p> <ul> <li>Username &amp; Password: The server will hash the incoming password and compare it with the hashed password stored in the database.</li> <li>Magic Link: The server checks if the link’s token is valid and hasn’t expired.</li> <li>WebAuthn: The server verifies the security challenge with the user’s device or browser.</li> </ul> <p>If the credentials are valid, the server returns a success response along with some identifier—often a session cookie or a token (like a JWT)—so the user doesn’t have to log in again on every request. This corresponds to steps 7.2 and 8 in the diagram.</p> <p>Think of this identifier as your “I’m logged in” badge. 🏷️​</p> <p>Now that you understand the core concepts, we’ll see how Spring Security manages each of these steps under the hood. Buckle up! 🚀</p> <h3> Mapping Authentication Steps to Spring Security Components </h3> <p>Now that we understand a typical authentication flow, let’s see how Spring Security tackles each step. Before diving in, let’s clear up one thing: if you've tried learning Spring Security before, you might have heard about a lot of additional concepts like CORS, the security filter chain, and more. But for this article, we’re keeping our focus solely on authentication. I’ll be showing you how Spring Security handles authentication in a REST API style. (I’ve personally never used Spring as a full-stack framework, so this approach suits my experience—but don’t worry, the concepts translate easily if you need a full-stack solution!)</p> <p>Here’s an overall view mapping a standard authentication flow to Spring Security components:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th><strong>Authentication Flow</strong></th> <th><strong>Spring Security Component</strong></th> </tr> </thead> <tbody> <tr> <td>User submits credentials</td> <td> <code>Authentication</code> (e.g., <code>UsernamePasswordAuthenticationToken</code>)</td> </tr> <tr> <td>Server searches for user</td> <td><code>UserDetailsService</code></td> </tr> <tr> <td>Check if user exists</td> <td><code>UsernameNotFoundException</code></td> </tr> <tr> <td>Verify credentials</td> <td> <code>AuthenticationProvider</code> (e.g., <code>DaoAuthenticationProvider</code>)</td> </tr> <tr> <td>Authentication success/failure</td> <td> <code>AuthenticationManager</code> orchestrates this</td> </tr> <tr> <td>Return authentication identifier</td> <td>Typically handled by a session or token mechanism</td> </tr> </tbody> </table></div> <p>This is a high-level overview of how authentication works within Spring Security. I’ve intentionally skipped some details that we’ll dig into as we break down each part further. Let’s dive in!</p> <h3> Authentication </h3> <p>Every time a user accesses a protected resource, they must prove their identity using credentials. This is where the <code>Authentication</code> interface comes into play. According to the Spring docs, it “represents the token for an authentication request or for an authenticated principal once the request has been processed by the <code>AuthenticationManager.authenticate(Authentication)</code> method.”<br> The <code>Authentication</code> object contains:</p> <ul> <li>Credentials (e.g., a password)</li> <li>Permissions/Authorities</li> <li>Principal (a representation of the authenticated user)</li> <li>Authentication status (authenticated or not)</li> <li>And other details regarding the authentication request</li> </ul> <p>A common implementation that you’ll likely use in many projects is the <code>UsernamePasswordAuthenticationToken</code>. Other examples include:</p> <ul> <li><code>OneTimeTokenAuthenticationToken</code></li> <li><code>AnonymousAuthenticationToken</code></li> <li><code>JwtAuthenticationToken</code></li> <li><code>BearerTokenAuthenticationToken</code></li> </ul> <p>There are many more out there, or you can roll your own (though I recommend doing so only for learning purposes) 😊.</p> <h3> UserDetailsService </h3> <p>If you’ve spent any time with Spring and the MVC pattern, you’ve likely encountered the concept of services. These act as a bridge between your business logic and your database interactions. In Spring Security, the <code>UserDetailsService</code> is your go-to for retrieving user data.</p> <p>The interface defines a single method: <code>loadUserByUsername(String username)</code>. This method’s job is to:</p> <h3> Locate the user based on the provided username. </h3> <p>Return a <code>UserDetails</code> object representation of the user that focuses on authentication and authorization data.</p> <p>Remember, your user entity can still have other attributes and extend different classes; the <code>UserDetails</code> interface just provides a focused view for security. You could technically bypass using <code>UserDetailsService</code> or <code>UserDetails</code> if you implement a custom authentication provider, but then you’d be fighting the framework’s conventions.</p> <p>Spring even offers some default implementations:</p> <ul> <li> <code>InMemoryUserDetailsManager</code> (great for prototyping, since it stores data only in memory)</li> <li> <code>JdbcDaoImpl</code> (retrieves user details from a database using JDBC queries)</li> <li> <code>JdbcUserDetailsManager</code> (an enhanced version of JdbcDaoImpl with additional features) </li> </ul> <h3> UsernameNotFoundException </h3> <p>When the <code>UserDetailsService</code> can’t find a user, it throws a <code>UsernameNotFoundException</code>. This exception is a subclass of <code>AuthenticationException</code>, the base class for all exceptions related to failed authentication attempts. Other exceptions in this family include:</p> <ul> <li><code>BadCredentialsException</code></li> <li><code>AuthenticationCredentialsNotFoundException</code></li> <li><code>CompromisedPasswordException</code></li> </ul> <p>These exceptions help Spring Security signal what went wrong during the authentication process ⚠️.</p> <h3> AuthenticationManager and AuthenticationProvider </h3> <p>Now we’re at the stage where we verify that the credentials are correct 🧐. This is handled by the <code>AuthenticationManager</code>, which processes an <code>Authentication</code> object (remember, the representation of your user’s credentials, whether authenticated or not).</p> <p>The most common implementation of <code>AuthenticationManager</code> is the <code>ProviderManager</code>. This manager maintains a list of <code>AuthenticationProvider</code> instances and iterates over them until one can successfully handle the authentication request. Here’s a simplified snippet to illustrate this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="kd">public</span> <span class="nc">Authentication</span> <span class="nf">authenticate</span><span class="o">(</span><span class="nc">Authentication</span> <span class="n">authentication</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">AuthenticationException</span> <span class="o">{</span> <span class="nc">Class</span><span class="o">&lt;?</span> <span class="kd">extends</span> <span class="nc">Authentication</span><span class="o">&gt;</span> <span class="n">toTest</span> <span class="o">=</span> <span class="n">authentication</span><span class="o">.</span><span class="na">getClass</span><span class="o">();</span> <span class="nc">AuthenticationException</span> <span class="n">lastException</span> <span class="o">=</span> <span class="kc">null</span><span class="o">;</span> <span class="nc">Authentication</span> <span class="n">result</span> <span class="o">=</span> <span class="kc">null</span><span class="o">;</span> <span class="k">for</span> <span class="o">(</span><span class="nc">AuthenticationProvider</span> <span class="n">provider</span> <span class="o">:</span> <span class="n">getProviders</span><span class="o">())</span> <span class="o">{</span> <span class="k">if</span> <span class="o">(!</span><span class="n">provider</span><span class="o">.</span><span class="na">supports</span><span class="o">(</span><span class="n">toTest</span><span class="o">))</span> <span class="o">{</span> <span class="k">continue</span><span class="o">;</span> <span class="o">}</span> <span class="n">result</span> <span class="o">=</span> <span class="n">provider</span><span class="o">.</span><span class="na">authenticate</span><span class="o">(</span><span class="n">authentication</span><span class="o">);</span> <span class="k">if</span> <span class="o">(</span><span class="n">result</span> <span class="o">!=</span> <span class="kc">null</span><span class="o">)</span> <span class="o">{</span> <span class="n">copyDetails</span><span class="o">(</span><span class="n">authentication</span><span class="o">,</span> <span class="n">result</span><span class="o">);</span> <span class="k">break</span><span class="o">;</span> <span class="o">}</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p>Notice how the ProviderManager checks each provider to see if it supports the type of authentication being attempted. It stops once it finds one that successfully authenticates the request ✅.</p> <p>The AuthenticationProvider interface itself defines just two methods:</p> <ul> <li> <code>supports(Class&lt;?&gt; authentication)</code>: Checks if the provider can handle the given authentication type.</li> <li> <code>authenticate(Authentication authentication)</code>: Contains the logic for verifying the credentials.</li> </ul> <p>Spring Security provides several implementations, like <code>DaoAuthenticationProvider</code> for username/password checks or <code>JwtAuthenticationProvider</code> for JWT-based authentication. For example, a snippet from the JwtAuthenticationProvider might look like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code> <span class="nd">@Override</span> <span class="kd">public</span> <span class="nc">Authentication</span> <span class="nf">authenticate</span><span class="o">(</span><span class="nc">Authentication</span> <span class="n">authentication</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">AuthenticationException</span> <span class="o">{</span> <span class="nc">BearerTokenAuthenticationToken</span> <span class="n">bearer</span> <span class="o">=</span> <span class="o">(</span><span class="nc">BearerTokenAuthenticationToken</span><span class="o">)</span> <span class="n">authentication</span><span class="o">;</span> <span class="nc">Jwt</span> <span class="n">jwt</span> <span class="o">=</span> <span class="n">getJwt</span><span class="o">(</span><span class="n">bearer</span><span class="o">);</span> <span class="nc">AbstractAuthenticationToken</span> <span class="n">token</span> <span class="o">=</span> <span class="k">this</span><span class="o">.</span><span class="na">jwtAuthenticationConverter</span><span class="o">.</span><span class="na">convert</span><span class="o">(</span><span class="n">jwt</span><span class="o">);</span> <span class="k">if</span> <span class="o">(</span><span class="n">token</span><span class="o">.</span><span class="na">getDetails</span><span class="o">()</span> <span class="o">==</span> <span class="kc">null</span><span class="o">)</span> <span class="o">{</span> <span class="n">token</span><span class="o">.</span><span class="na">setDetails</span><span class="o">(</span><span class="n">bearer</span><span class="o">.</span><span class="na">getDetails</span><span class="o">());</span> <span class="o">}</span> <span class="k">this</span><span class="o">.</span><span class="na">logger</span><span class="o">.</span><span class="na">debug</span><span class="o">(</span><span class="s">"Authenticated token"</span><span class="o">);</span> <span class="k">return</span> <span class="n">token</span><span class="o">;</span> <span class="o">}</span> <span class="nd">@Override</span> <span class="kd">public</span> <span class="kt">boolean</span> <span class="nf">supports</span><span class="o">(</span><span class="nc">Class</span><span class="o">&lt;?&gt;</span> <span class="n">authentication</span><span class="o">)</span> <span class="o">{</span> <span class="k">return</span> <span class="nc">BearerTokenAuthenticationToken</span><span class="o">.</span><span class="na">class</span><span class="o">.</span><span class="na">isAssignableFrom</span><span class="o">(</span><span class="n">authentication</span><span class="o">);</span> <span class="o">}</span> </code></pre> </div> <p>In this example, the provider casts the <code>Authentication</code> object to the expected type, processes the JWT, and converts it back to an authenticated token. If a provider returns null, the <code>ProviderManager</code> moves on to the next one. This mechanism ensures that your application finds the right way to authenticate each request 🔍.</p> <h3> Returning a response </h3> <p>At the end of the authentication process, your application needs to return a response. If you’re building your own implementation, this could mean:</p> <ul> <li>Setting a cookie in a cookie-based authentication.</li> <li>Returning a JWT token for stateless APIs.</li> <li>Or any other mechanism you choose.</li> </ul> <p>For a quick example, you might create an AuthController with a login endpoint that accepts a record like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="kd">public</span> <span class="n">record</span> <span class="nf">LoginRequest</span><span class="o">(</span><span class="nc">String</span> <span class="n">username</span><span class="o">,</span> <span class="nc">String</span> <span class="n">passsword</span><span class="o">){}</span> </code></pre> </div> <p>​</p> <p>This controller would create a <code>UsernamePasswordAuthenticationToken</code>, trigger the authentication process, and then return a response containing either a cookie or a token based on the result.</p> <h2> Diving Deeper: Exploring Spring Security’s Built-In Login Mechanism </h2> <p>So far, we’ve covered the essentials, and you could build your own authentication flow with these pieces. But if you’re curious about the “Spring way” of doing things, here’s a sneak peek into how Spring handles login by default.</p> <blockquote> <p>Tip: If this next section feels a bit heavy or introduces additional concepts you’re not yet comfortable with, feel free to skip ahead and come back later. Understanding these concepts—even at a high level—will help you grasp how Spring Security works under the hood.</p> </blockquote> <h3> How Does Spring Security Handle Login? </h3> <p>Spring Security provides a default login mechanism, but how does it actually work?</p> <p>When a user submits their credentials, the request is sent to the configured login endpoint.</p> <p>Spring Security intercepts this request using a filter, specifically <code>UsernamePasswordAuthenticationFilter</code>.</p> <p>The filter attempts authentication, following the flow we discussed earlier. If authentication succeeds, Spring Security stores the <code>Authentication</code> object in the <code>SecurityContextHolder</code>. Before responding to the client, the <code>SecurityContext</code>is persisted via a <code>SecurityContextRepository</code>. This sequence allows Spring Security to maintain authentication across multiple requests.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ftkgpv6rpa5gepvjpcbxj.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ftkgpv6rpa5gepvjpcbxj.png" alt="WoW" width="491" height="396"></a></p> <p>WOW that was a lot of info and new concepts in such a short amount of time right? Let’s, once again, define what we need and how those needs are solved by different components of spring.<br> First things first,</p> <h3> WHAT THE F*CK IS A FILTER? </h3> <p>Spring Security relies on a Security Filter Chain, a series of filters that process requests and responses. These filters handle security tasks such as authentication, authorization, and CSRF protection.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F822rnemv0geujebgj54z.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F822rnemv0geujebgj54z.png" alt="Filter chain illustration" width="320" height="462"></a><br> <a href="https://docs.spring.io/spring-security/reference/servlet/architecture.html" rel="noopener noreferrer">Architecture::Spring Security </a></p> <p>When a client makes an HTTP request:</p> <ul> <li>The request passes through multiple security filters.</li> <li>The request is authenticated and authorized.</li> <li>If allowed, it reaches the servlet for further processing.</li> </ul> <p>Spring Boot automatically configures these filters, but you can inspect them with the following example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code> <span class="nd">@Bean</span> <span class="kd">public</span> <span class="nc">UserDetailsService</span> <span class="nf">inMemoryUserDetails</span><span class="o">()</span> <span class="o">{</span> <span class="nc">UserDetails</span> <span class="n">admin</span> <span class="o">=</span> <span class="nc">User</span><span class="o">.</span><span class="na">builder</span><span class="o">()</span> <span class="o">.</span><span class="na">username</span><span class="o">(</span><span class="s">"admin"</span><span class="o">)</span> <span class="o">.</span><span class="na">password</span><span class="o">(</span><span class="s">"{noop}admin"</span><span class="o">)</span> <span class="o">.</span><span class="na">roles</span><span class="o">(</span><span class="s">"ADMIN"</span><span class="o">)</span> <span class="o">.</span><span class="na">build</span><span class="o">();</span> <span class="k">return</span> <span class="k">new</span> <span class="nf">InMemoryUserDetailsManager</span><span class="o">(</span><span class="n">admin</span><span class="o">);</span> <span class="o">}</span> <span class="nd">@Bean</span> <span class="kd">public</span> <span class="nc">SecurityFilterChain</span> <span class="nf">securityFilterChain</span><span class="o">(</span><span class="nc">HttpSecurity</span> <span class="n">http</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">Exception</span> <span class="o">{</span> <span class="n">http</span> <span class="o">.</span><span class="na">authorizeHttpRequests</span><span class="o">(</span><span class="n">authorizeHttp</span> <span class="o">-&gt;</span> <span class="o">{</span> <span class="n">authorizeHttp</span><span class="o">.</span><span class="na">requestMatchers</span><span class="o">(</span><span class="s">"/login"</span><span class="o">).</span><span class="na">permitAll</span><span class="o">();</span> <span class="n">authorizeHttp</span><span class="o">.</span><span class="na">anyRequest</span><span class="o">().</span><span class="na">authenticated</span><span class="o">();</span> <span class="o">})</span> <span class="o">.</span><span class="na">formLogin</span><span class="o">(</span><span class="n">withDefaults</span><span class="o">());</span> <span class="k">return</span> <span class="n">http</span><span class="o">.</span><span class="na">build</span><span class="o">();</span> <span class="o">}</span> </code></pre> </div> <p>This configuration:</p> <ul> <li>Creates an in-memory admin user.</li> <li>Enables default login behavior.</li> <li>Allows access to /login while protecting other endpoints.</li> </ul> <h3> Exploring the Security Filter Chain </h3> <p>Spring Security manages filters using a Filter Chain Proxy, which contains one or more Security Filter Chains. The Security Filter Chain is Spring-specific and integrates deeply with the Spring framework, unlike the standard Servlet Filter Chain.<br> You can inspect the active Security Filter Chains using this endpoint:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code> <span class="nd">@GetMapping</span> <span class="kd">private</span> <span class="nc">Map</span><span class="o">&lt;</span><span class="nc">Integer</span><span class="o">,</span> <span class="nc">Map</span><span class="o">&lt;</span><span class="nc">Integer</span><span class="o">,</span> <span class="nc">String</span><span class="o">&gt;&gt;</span> <span class="nf">getSecurityFilterChainProxy</span><span class="o">(){</span> <span class="nc">Map</span><span class="o">&lt;</span><span class="nc">Integer</span><span class="o">,</span> <span class="nc">Map</span><span class="o">&lt;</span><span class="nc">Integer</span><span class="o">,</span> <span class="nc">String</span><span class="o">&gt;&gt;</span> <span class="n">filterChains</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">HashMap</span><span class="o">&lt;&gt;();</span> <span class="kt">int</span> <span class="n">i</span> <span class="o">=</span> <span class="mi">1</span><span class="o">;</span> <span class="k">for</span> <span class="o">(</span><span class="nc">SecurityFilterChain</span> <span class="n">securityFilterChain</span> <span class="o">:</span> <span class="k">this</span><span class="o">.</span><span class="na">filterChainProxy</span><span class="o">.</span><span class="na">getFilterChains</span><span class="o">()){</span> <span class="nc">Map</span><span class="o">&lt;</span><span class="nc">Integer</span><span class="o">,</span> <span class="nc">String</span><span class="o">&gt;</span> <span class="n">filterChain</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">HashMap</span><span class="o">&lt;&gt;();</span> <span class="kt">int</span> <span class="n">j</span> <span class="o">=</span> <span class="mi">1</span><span class="o">;</span> <span class="k">for</span> <span class="o">(</span><span class="nc">Filter</span> <span class="n">filter</span> <span class="o">:</span> <span class="n">securityFilterChain</span><span class="o">.</span><span class="na">getFilters</span><span class="o">()){</span> <span class="n">filterChain</span><span class="o">.</span><span class="na">put</span><span class="o">(</span><span class="n">j</span><span class="o">,</span> <span class="n">filter</span><span class="o">.</span><span class="na">getClass</span><span class="o">().</span><span class="na">getName</span><span class="o">());</span> <span class="n">j</span><span class="o">++;</span> <span class="o">}</span> <span class="n">filterChains</span><span class="o">.</span><span class="na">put</span><span class="o">(</span><span class="n">i</span><span class="o">,</span> <span class="n">filterChain</span><span class="o">);</span> <span class="o">}</span> <span class="k">return</span> <span class="n">filterChains</span><span class="o">;</span> <span class="o">}</span> </code></pre> </div> <p>​<br> Do you remember how i explained the filters work? Well, I kinda lied, spring security actually uses a filter chain proxy to have the filters defined in the Security Filter Chain, which is different from the Filter Chain, while the former is a Spring Thingy and can then take advantage of other spring features like the ApplicationContext, and is actually the one you’ll be using 99.99% of the time, the later is a Servlet thing, the Security Filter Chain is called inside the Filter Chain, you don’t really have to worry too much about those details but if you do want to go deper you can read the spring security documentation on the Servlet Applicatoins / Architecture section<br> What this endpoint i showed you does is it will get the Security Filter Chains that are registerd in the Filter Chain Proxy (the one that spring wires inside the Servlet Filter Chain) and return the class names of the Filters inside the Security Filter Chain, you will get a response like this<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"1"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"1"</span><span class="p">:</span><span class="w"> </span><span class="s2">"org.springframework.security.web.session.DisableEncodeUrlFilter"</span><span class="p">,</span><span class="w"> </span><span class="nl">"2"</span><span class="p">:</span><span class="w"> </span><span class="s2">"org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter"</span><span class="p">,</span><span class="w"> </span><span class="nl">"3"</span><span class="p">:</span><span class="w"> </span><span class="s2">"org.springframework.security.web.context.SecurityContextHolderFilter"</span><span class="p">,</span><span class="w"> </span><span class="nl">"4"</span><span class="p">:</span><span class="w"> </span><span class="s2">"org.springframework.security.web.header.HeaderWriterFilter"</span><span class="p">,</span><span class="w"> </span><span class="nl">"5"</span><span class="p">:</span><span class="w"> </span><span class="s2">"org.springframework.security.web.csrf.CsrfFilter"</span><span class="p">,</span><span class="w"> </span><span class="nl">"6"</span><span class="p">:</span><span class="w"> </span><span class="s2">"org.springframework.security.web.authentication.logout.LogoutFilter"</span><span class="p">,</span><span class="w"> </span><span class="nl">"7"</span><span class="p">:</span><span class="w"> </span><span class="s2">"org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter"</span><span class="p">,</span><span class="w"> </span><span class="nl">"8"</span><span class="p">:</span><span class="w"> </span><span class="s2">"org.springframework.security.web.authentication.ui.DefaultResourcesFilter"</span><span class="p">,</span><span class="w"> </span><span class="nl">"9"</span><span class="p">:</span><span class="w"> </span><span class="s2">"org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter"</span><span class="p">,</span><span class="w"> </span><span class="nl">"10"</span><span class="p">:</span><span class="w"> </span><span class="s2">"org.springframework.security.web.authentication.ui.DefaultLogoutPageGeneratingFilter"</span><span class="p">,</span><span class="w"> </span><span class="nl">"11"</span><span class="p">:</span><span class="w"> </span><span class="s2">"org.springframework.security.web.savedrequest.RequestCacheAwareFilter"</span><span class="p">,</span><span class="w"> </span><span class="nl">"12"</span><span class="p">:</span><span class="w"> </span><span class="s2">"org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter"</span><span class="p">,</span><span class="w"> </span><span class="nl">"13"</span><span class="p">:</span><span class="w"> </span><span class="s2">"org.springframework.security.web.authentication.AnonymousAuthenticationFilter"</span><span class="p">,</span><span class="w"> </span><span class="nl">"14"</span><span class="p">:</span><span class="w"> </span><span class="s2">"org.springframework.security.web.access.ExceptionTranslationFilter"</span><span class="p">,</span><span class="w"> </span><span class="nl">"15"</span><span class="p">:</span><span class="w"> </span><span class="s2">"org.springframework.security.web.access.intercept.AuthorizationFilter"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>​</p> <h3> Key Filters in Spring Security </h3> <p>I’m not gonna explain every single filter but instead let’s go with the ones we care those being:</p> <ul> <li><p><code>SecurityContextHolderFilter</code><br> Retrieves the SecurityContext for requests.</p></li> <li><p><code>CsrfFilter</code><br> Ensures CSRF tokens are included in requests (if enabled).</p></li> <li><p><code>LogoutFilter</code><br> Manages user logout by calling LogoutHandlers and redirecting upon success.</p></li> <li><p><code>UsernamePasswordAuthenticationFilter</code><br> Handles login requests, extracting credentials and passing them to authentication mechanisms.</p></li> <li><p><code>DefaultLoginPageGeneratingFilter</code><br> Generates the default login page.</p></li> <li><p><code>DefaultLogoutPageGeneratingFilter</code><br> Creates the default logout page.</p></li> <li><p><code>AnonymousAuthenticationFilter</code><br> Assigns anonymous authentication when no user is authenticated.</p></li> <li><p><code>ExceptionTranslationFilter</code><br> Converts AccessDeniedException and AuthenticationException into HTTP responses.</p></li> <li><p><code>AuthorizationFilter</code><br> Enforces authorization policies.</p></li> </ul> <h3> Configuring the Security Filter Chain </h3> <p>Below is an example of configuring key security filters:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code> <span class="nd">@Bean</span> <span class="kd">public</span> <span class="nc">SecurityFilterChain</span> <span class="nf">securityFilterChain</span><span class="o">(</span><span class="nc">HttpSecurity</span> <span class="n">http</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">Exception</span> <span class="o">{</span> <span class="n">http</span> <span class="o">.</span><span class="na">securityContext</span><span class="o">(</span><span class="n">securityContextConfigurer</span> <span class="o">-&gt;</span> <span class="n">securityContextConfigurer</span><span class="o">.</span><span class="na">securityContextRepository</span><span class="o">(</span><span class="k">new</span> <span class="nc">MyCustonSecurityContextRepository</span><span class="o">())</span> <span class="o">)</span> <span class="o">.</span><span class="na">csrf</span><span class="o">(</span><span class="n">csrfConfigurer</span> <span class="o">-&gt;</span> <span class="n">csrfConfigurer</span><span class="o">.</span><span class="na">disable</span><span class="o">())</span> <span class="o">.</span><span class="na">logout</span><span class="o">(</span><span class="n">logoutConfigurer</span> <span class="o">-&gt;</span> <span class="o">{</span> <span class="n">logoutConfigurer</span><span class="o">.</span><span class="na">logoutUrl</span><span class="o">(</span><span class="s">"/logout"</span><span class="o">);</span> <span class="n">logoutConfigurer</span><span class="o">.</span><span class="na">invalidateHttpSession</span><span class="o">(</span><span class="kc">true</span><span class="o">);</span> <span class="o">})</span> <span class="o">.</span><span class="na">formLogin</span><span class="o">(</span><span class="n">loginConfigurer</span> <span class="o">-&gt;</span> <span class="o">{</span> <span class="n">loginConfigurer</span><span class="o">.</span><span class="na">loginPage</span><span class="o">(</span><span class="s">"/login"</span><span class="o">);</span> <span class="n">loginConfigurer</span><span class="o">.</span><span class="na">failureForwardUrl</span><span class="o">(</span><span class="s">"/login?error"</span><span class="o">);</span> <span class="n">loginConfigurer</span><span class="o">.</span><span class="na">usernameParameter</span><span class="o">(</span><span class="s">"username"</span><span class="o">);</span> <span class="o">}</span> <span class="o">)</span> <span class="o">.</span><span class="na">anonymous</span><span class="o">(</span><span class="n">anonymousConfigurer</span> <span class="o">-&gt;</span> <span class="o">{</span> <span class="n">anonymousConfigurer</span><span class="o">.</span><span class="na">principal</span><span class="o">(</span><span class="s">"anonymous"</span><span class="o">);</span> <span class="o">})</span> <span class="o">.</span><span class="na">exceptionHandling</span><span class="o">(</span><span class="n">exceptionHandlingConfigurer</span> <span class="o">-&gt;</span> <span class="o">{</span> <span class="n">exceptionHandlingConfigurer</span><span class="o">.</span><span class="na">accessDeniedPage</span><span class="o">(</span><span class="s">"/access-denied"</span><span class="o">);</span> <span class="o">})</span> <span class="o">.</span><span class="na">authorizeHttpRequests</span><span class="o">(</span><span class="n">authorizeHttp</span> <span class="o">-&gt;</span> <span class="o">{</span> <span class="n">authorizeHttp</span><span class="o">.</span><span class="na">requestMatchers</span><span class="o">(</span><span class="s">"/login"</span><span class="o">).</span><span class="na">permitAll</span><span class="o">();</span> <span class="n">authorizeHttp</span><span class="o">.</span><span class="na">anyRequest</span><span class="o">().</span><span class="na">authenticated</span><span class="o">();</span> <span class="o">});</span> <span class="k">return</span> <span class="n">http</span><span class="o">.</span><span class="na">build</span><span class="o">();</span> <span class="o">}</span> </code></pre> </div> <p>This configuration:</p> <ul> <li>Defines a custom SecurityContextRepository.</li> <li>Disables CSRF (if needed).</li> <li>Customizes login/logout behavior.</li> <li>Handles anonymous users and access denial.</li> <li>Enforces authentication for all routes except /login.</li> </ul> <p>This is all good and great but let’s go a little deeper into how the spring team normally implements authentication inside filters, for this we dive into the implementation of the <code>UsernamePasswordAuthenticationFilter</code>, <code>LogoutFilter</code>, <code>AnonymousFilter</code>, <code>SecurityContextHolderFilter</code> and lastly <code>SecurityContextRepository</code> </p> <h3> SecurityContextHolderFilter </h3> <p>Ensures that the SecurityContext is correctly set before proceeding with request handling. Runs early in the filter chain and guarantees that any downstream filters can access security details.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code> <span class="kd">private</span> <span class="kt">void</span> <span class="nf">doFilter</span><span class="o">(</span><span class="nc">HttpServletRequest</span> <span class="n">request</span><span class="o">,</span> <span class="nc">HttpServletResponse</span> <span class="n">response</span><span class="o">,</span> <span class="nc">FilterChain</span> <span class="n">chain</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">ServletException</span><span class="o">,</span> <span class="nc">IOException</span> <span class="o">{</span> <span class="k">if</span> <span class="o">(</span><span class="n">request</span><span class="o">.</span><span class="na">getAttribute</span><span class="o">(</span><span class="no">FILTER_APPLIED</span><span class="o">)</span> <span class="o">!=</span> <span class="kc">null</span><span class="o">)</span> <span class="o">{</span> <span class="n">chain</span><span class="o">.</span><span class="na">doFilter</span><span class="o">(</span><span class="n">request</span><span class="o">,</span> <span class="n">response</span><span class="o">);</span> <span class="k">return</span><span class="o">;</span> <span class="o">}</span> <span class="n">request</span><span class="o">.</span><span class="na">setAttribute</span><span class="o">(</span><span class="no">FILTER_APPLIED</span><span class="o">,</span> <span class="nc">Boolean</span><span class="o">.</span><span class="na">TRUE</span><span class="o">);</span> <span class="nc">Supplier</span><span class="o">&lt;</span><span class="nc">SecurityContext</span><span class="o">&gt;</span> <span class="n">deferredContext</span> <span class="o">=</span> <span class="k">this</span><span class="o">.</span><span class="na">securityContextRepository</span><span class="o">.</span><span class="na">loadDeferredContext</span><span class="o">(</span><span class="n">request</span><span class="o">);</span> <span class="k">try</span> <span class="o">{</span> <span class="k">this</span><span class="o">.</span><span class="na">securityContextHolderStrategy</span><span class="o">.</span><span class="na">setDeferredContext</span><span class="o">(</span><span class="n">deferredContext</span><span class="o">);</span> <span class="n">chain</span><span class="o">.</span><span class="na">doFilter</span><span class="o">(</span><span class="n">request</span><span class="o">,</span> <span class="n">response</span><span class="o">);</span> <span class="o">}</span> <span class="k">finally</span> <span class="o">{</span> <span class="k">this</span><span class="o">.</span><span class="na">securityContextHolderStrategy</span><span class="o">.</span><span class="na">clearContext</span><span class="o">();</span> <span class="n">request</span><span class="o">.</span><span class="na">removeAttribute</span><span class="o">(</span><span class="no">FILTER_APPLIED</span><span class="o">);</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p>In the implementation you can see that it will check whether the filter has already been applied, if it hasn’t it will pass the method to load the context to the SecurityContextHolder and continue with the next filter.</p> <h3> SecurityContextRepository </h3> <ul> <li>Restores and retrieves the SecurityContext during request processing.</li> <li>Works with session-based authentication to persist the SecurityContext between requests.</li> <li>Common implementations: <ul> <li>HttpSessionSecurityContextRepository: Stores the SecurityContext in the HTTP session.</li> <li>RequestAttributeSecurityContextRepository: Stores the SecurityContext in request attributes.</li> </ul> </li> </ul> <h3> AnonymousFilter </h3> <p>Assigns an anonymous Authentication object when no authenticated user is present. It ensures that unauthenticated users still have a valid SecurityContext. The anonymous authentication has a special role (ROLE_ANONYMOUS), allowing fine-grained access control.</p> <p>Let’s look at a small part of the filter’s implementation<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="kd">private</span> <span class="nc">SecurityContext</span> <span class="nf">defaultWithAnonymous</span><span class="o">(</span><span class="nc">HttpServletRequest</span> <span class="n">request</span><span class="o">,</span> <span class="nc">SecurityContext</span> <span class="n">currentContext</span><span class="o">)</span> <span class="o">{</span> <span class="nc">Authentication</span> <span class="n">currentAuthentication</span> <span class="o">=</span> <span class="n">currentContext</span><span class="o">.</span><span class="na">getAuthentication</span><span class="o">();</span> <span class="k">if</span> <span class="o">(</span><span class="n">currentAuthentication</span> <span class="o">==</span> <span class="kc">null</span><span class="o">)</span> <span class="o">{</span> <span class="nc">Authentication</span> <span class="n">anonymous</span> <span class="o">=</span> <span class="n">createAuthentication</span><span class="o">(</span><span class="n">request</span><span class="o">);</span> <span class="k">if</span> <span class="o">(</span><span class="k">this</span><span class="o">.</span><span class="na">logger</span><span class="o">.</span><span class="na">isTraceEnabled</span><span class="o">())</span> <span class="o">{</span> <span class="k">this</span><span class="o">.</span><span class="na">logger</span><span class="o">.</span><span class="na">trace</span><span class="o">(</span><span class="nc">LogMessage</span><span class="o">.</span><span class="na">of</span><span class="o">(()</span> <span class="o">-&gt;</span> <span class="s">"Set SecurityContextHolder to "</span> <span class="o">+</span> <span class="n">anonymous</span><span class="o">));</span> <span class="o">}</span> <span class="k">else</span> <span class="o">{</span> <span class="k">this</span><span class="o">.</span><span class="na">logger</span><span class="o">.</span><span class="na">debug</span><span class="o">(</span><span class="s">"Set SecurityContextHolder to anonymous SecurityContext"</span><span class="o">);</span> <span class="o">}</span> <span class="nc">SecurityContext</span> <span class="n">anonymousContext</span> <span class="o">=</span> <span class="k">this</span><span class="o">.</span><span class="na">securityContextHolderStrategy</span><span class="o">.</span><span class="na">createEmptyContext</span><span class="o">();</span> <span class="n">anonymousContext</span><span class="o">.</span><span class="na">setAuthentication</span><span class="o">(</span><span class="n">anonymous</span><span class="o">);</span> <span class="k">return</span> <span class="n">anonymousContext</span><span class="o">;</span> <span class="o">}</span> <span class="k">else</span> <span class="o">{</span> <span class="k">if</span> <span class="o">(</span><span class="k">this</span><span class="o">.</span><span class="na">logger</span><span class="o">.</span><span class="na">isTraceEnabled</span><span class="o">())</span> <span class="o">{</span> <span class="k">this</span><span class="o">.</span><span class="na">logger</span><span class="o">.</span><span class="na">trace</span><span class="o">(</span><span class="nc">LogMessage</span><span class="o">.</span><span class="na">of</span><span class="o">(()</span> <span class="o">-&gt;</span> <span class="s">"Did not set SecurityContextHolder since already authenticated "</span> <span class="o">+</span> <span class="n">currentAuthentication</span><span class="o">));</span> <span class="o">}</span> <span class="o">}</span> <span class="k">return</span> <span class="n">currentContext</span><span class="o">;</span> <span class="o">}</span> <span class="kd">protected</span> <span class="nc">Authentication</span> <span class="nf">createAuthentication</span><span class="o">(</span><span class="nc">HttpServletRequest</span> <span class="n">request</span><span class="o">)</span> <span class="o">{</span> <span class="nc">AnonymousAuthenticationToken</span> <span class="n">token</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">AnonymousAuthenticationToken</span><span class="o">(</span><span class="k">this</span><span class="o">.</span><span class="na">key</span><span class="o">,</span> <span class="k">this</span><span class="o">.</span><span class="na">principal</span><span class="o">,</span> <span class="k">this</span><span class="o">.</span><span class="na">authorities</span><span class="o">);</span> <span class="n">token</span><span class="o">.</span><span class="na">setDetails</span><span class="o">(</span><span class="k">this</span><span class="o">.</span><span class="na">authenticationDetailsSource</span><span class="o">.</span><span class="na">buildDetails</span><span class="o">(</span><span class="n">request</span><span class="o">));</span> <span class="k">return</span> <span class="n">token</span><span class="o">;</span> <span class="o">}</span> </code></pre> </div> <p>This two methods are the ones we actually care about for the purposes of this article, the defeaultWithAnonymous method will get the current authentication and check if it’s null, if it isn’t it logs that it wasn’t necessary to set the <code>SecurityContextHolder</code>, if it is, it creates an <code>AnonymousAuthenticationToken</code> and then an empty context and sets the authentication in it, finally it returns the <code>SecurityContext</code>, the anonymous token will use a key, a principal as a String (which you can configure as you saw in the example) and the details, the details willfrom the http request and those will be the ip address and the session id</p> <h3> UsernamePasswordAuthenticationFilter </h3> <p>This filter a little bit special, normally when you want to create a filter to add to the spring security filter chain you would extend your class with either <code>GenericFilterBean</code>or <code>OncePerRequestFilter</code> but the filters that deal with broswer based http based authentications such as this filter or <code>Oauth2LoginAuthenticationFilter</code>, <code>WebAuthnAuthenticationFilter</code>, etc…, they extend a different class instead, the <code>AbstractAuthenticationProcessingFilter</code> this filter will require an <code>AuthenticationManager</code> to process the authentication request and a <code>RequestMatcher</code> to check if it should attempt authentication for the current request, it has three important methods the <code>attemptAuthentication</code> which will receive both the request and response objects and will perform the actual authentication, if the authentication passess the <code>Authentication</code> result will be placed into the <code>SecurityContext</code> and it will call a configured <code>AuthenticationSuccessHandler</code> and if it fails it will delegate to a configured <code>AuthenticationFailurehandler</code> <br> From the actual implementation of the <code>UsernamePasswordAuthenticationFilter</code> we see relatively how simple this is<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="nd">@Override</span> <span class="kd">public</span> <span class="nc">Authentication</span> <span class="nf">attemptAuthentication</span><span class="o">(</span><span class="nc">HttpServletRequest</span> <span class="n">request</span><span class="o">,</span> <span class="nc">HttpServletResponse</span> <span class="n">response</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">AuthenticationException</span> <span class="o">{</span> <span class="k">if</span> <span class="o">(</span><span class="k">this</span><span class="o">.</span><span class="na">postOnly</span> <span class="o">&amp;&amp;</span> <span class="o">!</span><span class="n">request</span><span class="o">.</span><span class="na">getMethod</span><span class="o">().</span><span class="na">equals</span><span class="o">(</span><span class="s">"POST"</span><span class="o">))</span> <span class="o">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nf">AuthenticationServiceException</span><span class="o">(</span><span class="s">"Authentication method not supported: "</span> <span class="o">+</span> <span class="n">request</span><span class="o">.</span><span class="na">getMethod</span><span class="o">());</span> <span class="o">}</span> <span class="nc">String</span> <span class="n">username</span> <span class="o">=</span> <span class="n">obtainUsername</span><span class="o">(</span><span class="n">request</span><span class="o">);</span> <span class="n">username</span> <span class="o">=</span> <span class="o">(</span><span class="n">username</span> <span class="o">!=</span> <span class="kc">null</span><span class="o">)</span> <span class="o">?</span> <span class="n">username</span><span class="o">.</span><span class="na">trim</span><span class="o">()</span> <span class="o">:</span> <span class="s">""</span><span class="o">;</span> <span class="nc">String</span> <span class="n">password</span> <span class="o">=</span> <span class="n">obtainPassword</span><span class="o">(</span><span class="n">request</span><span class="o">);</span> <span class="n">password</span> <span class="o">=</span> <span class="o">(</span><span class="n">password</span> <span class="o">!=</span> <span class="kc">null</span><span class="o">)</span> <span class="o">?</span> <span class="n">password</span> <span class="o">:</span> <span class="s">""</span><span class="o">;</span> <span class="nc">UsernamePasswordAuthenticationToken</span> <span class="n">authRequest</span> <span class="o">=</span> <span class="nc">UsernamePasswordAuthenticationToken</span><span class="o">.</span><span class="na">unauthenticated</span><span class="o">(</span><span class="n">username</span><span class="o">,</span> <span class="n">password</span><span class="o">);</span> <span class="c1">// Allow subclasses to set the "details" property</span> <span class="n">setDetails</span><span class="o">(</span><span class="n">request</span><span class="o">,</span> <span class="n">authRequest</span><span class="o">);</span> <span class="k">return</span> <span class="k">this</span><span class="o">.</span><span class="na">getAuthenticationManager</span><span class="o">().</span><span class="na">authenticate</span><span class="o">(</span><span class="n">authRequest</span><span class="o">);</span> <span class="o">}</span> </code></pre> </div> <p>It first checks if it must be a post request and then it obtains both the username and password, it creates an Authentication with the details from the request and lastly it passes this <code>Authentication</code> to the <code>AuthenticationManager</code> <br> now let’s see how this is used in the <code>AbstractAuthenticationProcessingFilter</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code> <span class="kd">private</span> <span class="kt">void</span> <span class="nf">doFilter</span><span class="o">(</span><span class="nc">HttpServletRequest</span> <span class="n">request</span><span class="o">,</span> <span class="nc">HttpServletResponse</span> <span class="n">response</span><span class="o">,</span> <span class="nc">FilterChain</span> <span class="n">chain</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">IOException</span><span class="o">,</span> <span class="nc">ServletException</span> <span class="o">{</span> <span class="k">if</span> <span class="o">(!</span><span class="k">this</span><span class="o">.</span><span class="na">requiresAuthentication</span><span class="o">(</span><span class="n">request</span><span class="o">,</span> <span class="n">response</span><span class="o">))</span> <span class="o">{</span> <span class="n">chain</span><span class="o">.</span><span class="na">doFilter</span><span class="o">(</span><span class="n">request</span><span class="o">,</span> <span class="n">response</span><span class="o">);</span> <span class="o">}</span> <span class="k">else</span> <span class="o">{</span> <span class="k">try</span> <span class="o">{</span> <span class="nc">Authentication</span> <span class="n">authenticationResult</span> <span class="o">=</span> <span class="k">this</span><span class="o">.</span><span class="na">attemptAuthentication</span><span class="o">(</span><span class="n">request</span><span class="o">,</span> <span class="n">response</span><span class="o">);</span> <span class="k">if</span> <span class="o">(</span><span class="n">authenticationResult</span> <span class="o">==</span> <span class="kc">null</span><span class="o">)</span> <span class="o">{</span> <span class="k">return</span><span class="o">;</span> <span class="o">}</span> <span class="k">this</span><span class="o">.</span><span class="na">sessionStrategy</span><span class="o">.</span><span class="na">onAuthentication</span><span class="o">(</span><span class="n">authenticationResult</span><span class="o">,</span> <span class="n">request</span><span class="o">,</span> <span class="n">response</span><span class="o">);</span> <span class="k">if</span> <span class="o">(</span><span class="k">this</span><span class="o">.</span><span class="na">continueChainBeforeSuccessfulAuthentication</span><span class="o">)</span> <span class="o">{</span> <span class="n">chain</span><span class="o">.</span><span class="na">doFilter</span><span class="o">(</span><span class="n">request</span><span class="o">,</span> <span class="n">response</span><span class="o">);</span> <span class="o">}</span> <span class="k">this</span><span class="o">.</span><span class="na">successfulAuthentication</span><span class="o">(</span><span class="n">request</span><span class="o">,</span> <span class="n">response</span><span class="o">,</span> <span class="n">chain</span><span class="o">,</span> <span class="n">authenticationResult</span><span class="o">);</span> <span class="o">}</span> <span class="k">catch</span> <span class="o">(</span><span class="nc">InternalAuthenticationServiceException</span> <span class="n">failed</span><span class="o">)</span> <span class="o">{</span> <span class="k">this</span><span class="o">.</span><span class="na">logger</span><span class="o">.</span><span class="na">error</span><span class="o">(</span><span class="s">"An internal error occurred while trying to authenticate the user."</span><span class="o">,</span> <span class="n">failed</span><span class="o">);</span> <span class="k">this</span><span class="o">.</span><span class="na">unsuccessfulAuthentication</span><span class="o">(</span><span class="n">request</span><span class="o">,</span> <span class="n">response</span><span class="o">,</span> <span class="n">failed</span><span class="o">);</span> <span class="o">}</span> <span class="k">catch</span> <span class="o">(</span><span class="nc">AuthenticationException</span> <span class="n">ex</span><span class="o">)</span> <span class="o">{</span> <span class="k">this</span><span class="o">.</span><span class="na">unsuccessfulAuthentication</span><span class="o">(</span><span class="n">request</span><span class="o">,</span> <span class="n">response</span><span class="o">,</span> <span class="n">ex</span><span class="o">);</span> <span class="o">}</span> <span class="o">}</span> <span class="o">}</span> <span class="kd">protected</span> <span class="kt">boolean</span> <span class="nf">requiresAuthentication</span><span class="o">(</span><span class="nc">HttpServletRequest</span> <span class="n">request</span><span class="o">,</span> <span class="nc">HttpServletResponse</span> <span class="n">response</span><span class="o">)</span> <span class="o">{</span> <span class="k">if</span> <span class="o">(</span><span class="k">this</span><span class="o">.</span><span class="na">requiresAuthenticationRequestMatcher</span><span class="o">.</span><span class="na">matches</span><span class="o">(</span><span class="n">request</span><span class="o">))</span> <span class="o">{</span> <span class="k">return</span> <span class="kc">true</span><span class="o">;</span> <span class="o">}</span> <span class="k">else</span> <span class="o">{</span> <span class="k">if</span> <span class="o">(</span><span class="k">this</span><span class="o">.</span><span class="na">logger</span><span class="o">.</span><span class="na">isTraceEnabled</span><span class="o">())</span> <span class="o">{</span> <span class="k">this</span><span class="o">.</span><span class="na">logger</span><span class="o">.</span><span class="na">trace</span><span class="o">(</span><span class="nc">LogMessage</span><span class="o">.</span><span class="na">format</span><span class="o">(</span><span class="s">"Did not match request to %s"</span><span class="o">,</span> <span class="k">this</span><span class="o">.</span><span class="na">requiresAuthenticationRequestMatcher</span><span class="o">));</span> <span class="o">}</span> <span class="k">return</span> <span class="kc">false</span><span class="o">;</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p>​<br> It will use the configured <code>RequestMatcher</code> to check if it should perform authentication and then it will call the <code>attemptAuthentication</code> method, if it is successful it will perform some aditional operations (not really important for the purposes of this article) and lastly it will use the <code>succesfulAuthentication</code> method which in turn will use the handler we passed, if it fails it will use the <code>unsuccessfulAuthentication</code>method which uses our failure handler<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="kd">protected</span> <span class="kt">void</span> <span class="nf">successfulAuthentication</span><span class="o">(</span><span class="nc">HttpServletRequest</span> <span class="n">request</span><span class="o">,</span> <span class="nc">HttpServletResponse</span> <span class="n">response</span><span class="o">,</span> <span class="nc">FilterChain</span> <span class="n">chain</span><span class="o">,</span> <span class="nc">Authentication</span> <span class="n">authResult</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">IOException</span><span class="o">,</span> <span class="nc">ServletException</span> <span class="o">{</span> <span class="nc">SecurityContext</span> <span class="n">context</span> <span class="o">=</span> <span class="k">this</span><span class="o">.</span><span class="na">securityContextHolderStrategy</span><span class="o">.</span><span class="na">createEmptyContext</span><span class="o">();</span> <span class="n">context</span><span class="o">.</span><span class="na">setAuthentication</span><span class="o">(</span><span class="n">authResult</span><span class="o">);</span> <span class="k">this</span><span class="o">.</span><span class="na">securityContextHolderStrategy</span><span class="o">.</span><span class="na">setContext</span><span class="o">(</span><span class="n">context</span><span class="o">);</span> <span class="k">this</span><span class="o">.</span><span class="na">securityContextRepository</span><span class="o">.</span><span class="na">saveContext</span><span class="o">(</span><span class="n">context</span><span class="o">,</span> <span class="n">request</span><span class="o">,</span> <span class="n">response</span><span class="o">);</span> <span class="k">if</span> <span class="o">(</span><span class="k">this</span><span class="o">.</span><span class="na">logger</span><span class="o">.</span><span class="na">isDebugEnabled</span><span class="o">())</span> <span class="o">{</span> <span class="k">this</span><span class="o">.</span><span class="na">logger</span><span class="o">.</span><span class="na">debug</span><span class="o">(</span><span class="nc">LogMessage</span><span class="o">.</span><span class="na">format</span><span class="o">(</span><span class="s">"Set SecurityContextHolder to %s"</span><span class="o">,</span> <span class="n">authResult</span><span class="o">));</span> <span class="o">}</span> <span class="k">this</span><span class="o">.</span><span class="na">rememberMeServices</span><span class="o">.</span><span class="na">loginSuccess</span><span class="o">(</span><span class="n">request</span><span class="o">,</span> <span class="n">response</span><span class="o">,</span> <span class="n">authResult</span><span class="o">);</span> <span class="k">if</span> <span class="o">(</span><span class="k">this</span><span class="o">.</span><span class="na">eventPublisher</span> <span class="o">!=</span> <span class="kc">null</span><span class="o">)</span> <span class="o">{</span> <span class="k">this</span><span class="o">.</span><span class="na">eventPublisher</span><span class="o">.</span><span class="na">publishEvent</span><span class="o">(</span><span class="k">new</span> <span class="nc">InteractiveAuthenticationSuccessEvent</span><span class="o">(</span><span class="n">authResult</span><span class="o">,</span> <span class="k">this</span><span class="o">.</span><span class="na">getClass</span><span class="o">()));</span> <span class="o">}</span> <span class="k">this</span><span class="o">.</span><span class="na">successHandler</span><span class="o">.</span><span class="na">onAuthenticationSuccess</span><span class="o">(</span><span class="n">request</span><span class="o">,</span> <span class="n">response</span><span class="o">,</span> <span class="n">authResult</span><span class="o">);</span> <span class="o">}</span> </code></pre> </div> <p>Here we can see that it will do some aditional logic like event publishing, remember me services, etc…, but the part i want to highlight is the save of the context using the <code>SecurityContextRepository</code> this bean comes from the configuration, so let’s talk a little about the configuration of these special filters.</p> <p>The default implementations of these filters are typically configured with the HttpSecurity builder spring provides for the SecurityFilterChain configuration, more specifically it will use special classes that extend the <code>AbstractAuthenticationFilterConfigurer</code> like the <code>FormLoginConfigurer</code> and such, allow me to show a small part of the code in this abstract class:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="nd">@Override</span> <span class="kd">public</span> <span class="kt">void</span> <span class="nf">configure</span><span class="o">(</span><span class="no">B</span> <span class="n">http</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">Exception</span> <span class="o">{</span> <span class="o">...</span> <span class="nc">SecurityContextConfigurer</span> <span class="n">securityContextConfigurer</span> <span class="o">=</span> <span class="n">http</span><span class="o">.</span><span class="na">getConfigurer</span><span class="o">(</span><span class="nc">SecurityContextConfigurer</span><span class="o">.</span><span class="na">class</span><span class="o">);</span> <span class="k">if</span> <span class="o">(</span><span class="n">securityContextConfigurer</span> <span class="o">!=</span> <span class="kc">null</span> <span class="o">&amp;&amp;</span> <span class="n">securityContextConfigurer</span><span class="o">.</span><span class="na">isRequireExplicitSave</span><span class="o">())</span> <span class="o">{</span> <span class="nc">SecurityContextRepository</span> <span class="n">securityContextRepository</span> <span class="o">=</span> <span class="n">securityContextConfigurer</span> <span class="o">.</span><span class="na">getSecurityContextRepository</span><span class="o">();</span> <span class="k">this</span><span class="o">.</span><span class="na">authFilter</span><span class="o">.</span><span class="na">setSecurityContextRepository</span><span class="o">(</span><span class="n">securityContextRepository</span><span class="o">);</span> <span class="o">}</span> <span class="k">this</span><span class="o">.</span><span class="na">authFilter</span><span class="o">.</span><span class="na">setSecurityContextHolderStrategy</span><span class="o">(</span><span class="n">getSecurityContextHolderStrategy</span><span class="o">());</span> <span class="no">F</span> <span class="n">filter</span> <span class="o">=</span> <span class="n">postProcess</span><span class="o">(</span><span class="k">this</span><span class="o">.</span><span class="na">authFilter</span><span class="o">);</span> <span class="n">http</span><span class="o">.</span><span class="na">addFilter</span><span class="o">(</span><span class="n">filter</span><span class="o">);</span> <span class="o">}</span> </code></pre> </div> <p>As you can see here it will use another configurer to get the repository that is going to be needed to save (and restore) the sessions if it was configured as such, do you remember the filter chain configuration example I showed where i provided a configuration example for each of the relevant filters? well, in that example the <code>.securityContext()</code> method is the <code>SecurityContextConfigurer</code>, let’s go see what repository it uses by default<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="nc">SecurityContextRepository</span> <span class="nf">getSecurityContextRepository</span><span class="o">()</span> <span class="o">{</span> <span class="nc">SecurityContextRepository</span> <span class="n">securityContextRepository</span> <span class="o">=</span> <span class="n">getBuilder</span><span class="o">()</span> <span class="o">.</span><span class="na">getSharedObject</span><span class="o">(</span><span class="nc">SecurityContextRepository</span><span class="o">.</span><span class="na">class</span><span class="o">);</span> <span class="k">if</span> <span class="o">(</span><span class="n">securityContextRepository</span> <span class="o">==</span> <span class="kc">null</span><span class="o">)</span> <span class="o">{</span> <span class="n">securityContextRepository</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">DelegatingSecurityContextRepository</span><span class="o">(</span> <span class="k">new</span> <span class="nf">RequestAttributeSecurityContextRepository</span><span class="o">(),</span> <span class="k">new</span> <span class="nc">HttpSessionSecurityContextRepository</span><span class="o">());</span> <span class="o">}</span> <span class="k">return</span> <span class="n">securityContextRepository</span><span class="o">;</span> <span class="o">}</span> </code></pre> </div> <p>As you can see here, it will use either the one you pass to the configuration or a <code>DelegatingSecurityContextRepository</code> one which is composed of the <code>RequestAttributeSecurityContextRepository</code> (it persits the context on the current request only) and the <code>HttpSessionSecurityContextRepository</code> (it persits the context on the http session) if you didn’t configure one, although there are some small extra details they are not exactly a must to understand the rest.</p> <h3> LogoutFilter </h3> <p>It uses a series of LogoutHandlers which will be used in the order they are specified, after a succesful logout it will perform a redirect using either the <code>LogoutSuccessHandler</code> or the <code>logoutSuccessUrl</code> configured.</p> <p>The implementation of this filter is pretty similar to the previous one so instead of showing it I willl show you the implementation of a logout handler that spring provides.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="nd">@Override</span> <span class="kd">public</span> <span class="kt">void</span> <span class="nf">logout</span><span class="o">(</span><span class="nc">HttpServletRequest</span> <span class="n">request</span><span class="o">,</span> <span class="nc">HttpServletResponse</span> <span class="n">response</span><span class="o">,</span> <span class="nc">Authentication</span> <span class="n">authentication</span><span class="o">)</span> <span class="o">{</span> <span class="nc">Assert</span><span class="o">.</span><span class="na">notNull</span><span class="o">(</span><span class="n">request</span><span class="o">,</span> <span class="s">"HttpServletRequest required"</span><span class="o">);</span> <span class="k">if</span> <span class="o">(</span><span class="k">this</span><span class="o">.</span><span class="na">invalidateHttpSession</span><span class="o">)</span> <span class="o">{</span> <span class="nc">HttpSession</span> <span class="n">session</span> <span class="o">=</span> <span class="n">request</span><span class="o">.</span><span class="na">getSession</span><span class="o">(</span><span class="kc">false</span><span class="o">);</span> <span class="k">if</span> <span class="o">(</span><span class="n">session</span> <span class="o">!=</span> <span class="kc">null</span><span class="o">)</span> <span class="o">{</span> <span class="n">session</span><span class="o">.</span><span class="na">invalidate</span><span class="o">();</span> <span class="k">if</span> <span class="o">(</span><span class="k">this</span><span class="o">.</span><span class="na">logger</span><span class="o">.</span><span class="na">isDebugEnabled</span><span class="o">())</span> <span class="o">{</span> <span class="k">this</span><span class="o">.</span><span class="na">logger</span><span class="o">.</span><span class="na">debug</span><span class="o">(</span><span class="nc">LogMessage</span><span class="o">.</span><span class="na">format</span><span class="o">(</span><span class="s">"Invalidated session %s"</span><span class="o">,</span> <span class="n">session</span><span class="o">.</span><span class="na">getId</span><span class="o">()));</span> <span class="o">}</span> <span class="o">}</span> <span class="o">}</span> <span class="nc">SecurityContext</span> <span class="n">context</span> <span class="o">=</span> <span class="k">this</span><span class="o">.</span><span class="na">securityContextHolderStrategy</span><span class="o">.</span><span class="na">getContext</span><span class="o">();</span> <span class="k">this</span><span class="o">.</span><span class="na">securityContextHolderStrategy</span><span class="o">.</span><span class="na">clearContext</span><span class="o">();</span> <span class="k">if</span> <span class="o">(</span><span class="k">this</span><span class="o">.</span><span class="na">clearAuthentication</span><span class="o">)</span> <span class="o">{</span> <span class="n">context</span><span class="o">.</span><span class="na">setAuthentication</span><span class="o">(</span><span class="kc">null</span><span class="o">);</span> <span class="o">}</span> <span class="nc">SecurityContext</span> <span class="n">emptyContext</span> <span class="o">=</span> <span class="k">this</span><span class="o">.</span><span class="na">securityContextHolderStrategy</span><span class="o">.</span><span class="na">createEmptyContext</span><span class="o">();</span> <span class="k">this</span><span class="o">.</span><span class="na">securityContextRepository</span><span class="o">.</span><span class="na">saveContext</span><span class="o">(</span><span class="n">emptyContext</span><span class="o">,</span> <span class="n">request</span><span class="o">,</span> <span class="n">response</span><span class="o">);</span> <span class="o">}</span> </code></pre> </div> <p>This code comes from the <code>SecurityContextLogoutHandler</code> which is one of the default ones spring security uses, it will assert that there is a request, if configured it will invalidate the session, then it will clear the context and if set, it will also clear the authentication it will also use the <code>SecurityContextRepository</code> to update the context to unauthenticated.</p> <h2> Conclusion &amp; What’s Next </h2> <p>So far we’ve explored the key components involved in Spring Security’s authentication flow, from simple things like the <code>Authentication</code> interface to more complext parts like the <code>SecurityContextRepository</code>, by understanding how these parts work together we can gain a deeper insight into how Spring Security manages authentication behind the scenes and allows you to write your own implementations or decide whether you should you the default ones or not. </p> <p>Looking ahead, I plan to write follow-up articles exploring custom authentication implementations, such as integrating alternative authentication mechanisms beyond username-password authentication. I may also cover different Spring Security configurations, including OAuth2, JWT-based authentication, and fine-grained access control strategies.</p> <p>If you’re interested in diving deeper into these topics, stay tuned for upcoming posts where we’ll explore practical examples and real-world use cases. 🚀​</p> <p>Do keep in mind that i’m by no means an expert in either security or spring so I will need lots and lots of documentation which means posting each article will take time, please comment any questions or sugestions you may have I'd be glad to read your thoughts 😁, with nothing else left to say, bye and best regards. 🎉🎉🎉</p> springboot springsecurity authentication security