Click on any component in the diagram to explore its role, technical breakdown, and code examples.

Simulation Legend

Incoming Request / Processing

Success / Authorized

Exception / Denied

HTTP Req

Client Request

SecurityFilterChain

SecurityContext
Filter

Authentication
Filter

Exception
TranslationFilter

AuthorizationFilter

Authentication Architecture

AuthenticationManager

Coordinates Validation

AuthenticationProvider

e.g. DaoAuthenticationProvider

UserDetailsService

Loads Data

PasswordEncoder

Validates Hash

SecurityContextHolder

Stores Auth State

Target Resource

Secured Endpoint

Spring Security 6: Architecture & Principles

In an era where data breaches cost millions and erode user trust, securing applications isn’t optional — it’s existential. Security isn’t just about tools; it’s about principles. Spring Security isn’t just a framework — it’s a manifestation of these principles.

Defense in Depth

“Don’t rely on a single safeguard.”

Layered Filters: A chain of security filters (e.g., auth, CSRF).
Redundant Checks: Method-level security (`@PreAuthorize`) alongside URL rules.

Least Privilege

“Only grant necessary access.”

RBAC: Restrict endpoints to specific roles.
Scope-Based: Limit third-party app permissions in OAuth2.

Fail-Secure Defaults

“Deny access unless explicitly permitted.”

All endpoints require auth unless whitelisted.
Automatic CSRF protection for stateful flows.

Confidentiality & Integrity

“Protect data from eavesdropping and tampering.”

HTTPS enforcement.
Password hashing (e.g., `BCryptPasswordEncoder`).
JWT signature validation.

Core Components Configuration

1. SecurityFilterChain

Defines the order and behavior of security filters applied to incoming requests. Each filter handles a specific task.

@Bean
SecurityFilterChain defaultSecurityFilterChain(HttpSecurity http) throws Exception {
    http
        .authorizeHttpRequests(auth -> auth
            .requestMatchers("/admin/**").hasRole("ADMIN")
            .anyRequest().authenticated()
        )
        .formLogin(Customizer.withDefaults())
        .addFilterBefore(
            new CustomFilter(),
            BasicAuthenticationFilter.class
        );
    return http.build();
}

2. AuthenticationManager & Provider

Coordinates the authentication process by delegating to one or more AuthenticationProvider instances to validate credentials.

@Component
public class ApiKeyAuthProvider implements AuthenticationProvider {
    @Override
    public Authentication authenticate(Authentication auth) {
        String apiKey = (String) auth.getCredentials();
        if (isValidApiKey(apiKey)) {
            return new ApiKeyAuthenticationToken(
                apiKey,
                List.of(new SimpleGrantedAuthority("ROLE_USER"))
            );
        }
        throw new BadCredentialsException("Invalid API Key");
    }

    @Override
    public boolean supports(Class authentication) {
        return ApiKeyAuthenticationToken.class.isAssignableFrom(authentication);
    }
}

3. UserDetailsService & PasswordEncoder

Loads user data from storage and validates hashes to ensure passwords are never stored in plaintext.

@Service
public class CustomUserDetailsService implements UserDetailsService {
    @Autowired
    private UserRepository userRepository;

    @Override
    public UserDetails loadUserByUsername(String username) {
        User user = userRepository.findByEmail(username)
            .orElseThrow(() -> new UsernameNotFoundException("User not found"));

        return new org.springframework.security.core.userdetails.User(
            user.getEmail(),
            user.getPassword(),
            user.getRoles().stream()
                .map(role -> new SimpleGrantedAuthority("ROLE_" + role))
                .toList()
        );
    }
}

@Bean
public PasswordEncoder passwordEncoder() {
    return new BCryptPasswordEncoder(12); // Strength 12 recommended
}

The journey begins when a client (browser, mobile app, or another API) sends an HTTP request to your application.

Before reaching your controllers, this request is intercepted by the Servlet Container (like Tomcat), which passes it to Spring Security via the DelegatingFilterProxy and FilterChainProxy.

What It Does: Defines the order and behavior of security filters applied to incoming requests. It represents the Defense in Depth principle.

Filters process requests sequentially. If a filter rejects the request (e.g., missing CSRF token), the chain stops.

http.authorizeHttpRequests(auth -> auth
    .requestMatchers("/admin/**").hasRole("ADMIN")
    .anyRequest().authenticated()
)

Filters like UsernamePasswordAuthenticationFilter or BearerTokenAuthenticationFilter intercept requests to extract credentials.

They create an unauthenticated token and pass it to the AuthenticationManager. If auth succeeds, the resulting token is saved in the SecurityContext.

Acts as a safety net just before authorization.

It catches security exceptions thrown by filters further down (or by your app logic) and translates them into HTTP responses:

AuthenticationException: User needs to log in (Returns 401).
AccessDeniedException: User lacks permission (Returns 403).

The final gatekeeper before your actual application code is executed.

It enforces the Principle of Least Privilege. It checks the current authenticated user's roles against the security constraints defined for the requested URL.

What It Does: Coordinates the authentication process.

It receives an Authentication object (e.g., from a filter) and iterates through its configured list of AuthenticationProvider instances until it finds one that supports the token type.

It then delegates the actual validation to that provider.

Where the actual validation logic lives. You might have different providers for DB lookup, LDAP, or API Keys.

The standard DaoAuthenticationProvider uses the UserDetailsService to fetch the user and the PasswordEncoder to verify the password.

What It Does: Loads user-specific data from a storage layer (database, LDAP, etc.).

It returns a UserDetails object containing the user's stored password hash, granted authorities (roles), and account status, which Spring uses for evaluation.

What It Does: Encodes and validates passwords, ensuring Confidentiality.

It prevents password leaks if the DB is compromised. Always use strong algorithms like BCrypt (strength 12+), Argon2, or SCrypt.

return new BCryptPasswordEncoder(12);

The heart of state management. After successful authentication, the resulting Authentication object is stored here.

By default, it uses a ThreadLocal, meaning anywhere in your application (on that request thread), you can access the current user's details without passing them as arguments.

Your protected application code (e.g., a Spring MVC Controller).

Because of Spring Security's Fail-Secure Defaults, a request only reaches this point if it successfully traversed the entire filter chain, authenticated successfully, and was authorized for access.

Spring Security 6 Architecture

Component Inspector