🏗️ Detailed Spring Security Flow Schema
[1] HTTP Request
│
▼
┌───────────────────────────┐
│ Security Filter Chain │
│ (DelegatingFilterProxy) │
└───────────────────────────┘
│
▼
+----------------------------+
| Example Filters in Chain: |
| - SecurityContextPersistenceFilter (loads SecurityContext) |
| - UsernamePasswordAuthenticationFilter (handles login form) |
| - BasicAuthenticationFilter (for Basic Auth) |
| - BearerTokenAuthenticationFilter (for JWT/OAuth2) |
| - ExceptionTranslationFilter (handles 401/403) |
| - FilterSecurityInterceptor (authorization) |
+----------------------------+
│
▼
┌─────────────────────────────┐
│ Authentication Manager │
│ (dispatches authentication)│
└─────────────────────────────┘
│
▼
┌─────────────────────────────┐
│ Authentication Provider(s) │
│ - DaoAuthenticationProvider│
│ - JwtAuthenticationProvider│
│ - LdapAuthenticationProvider
└─────────────────────────────┘
│
▼
┌─────────────────────────────┐
│ UserDetailsService │
│ + PasswordEncoder │
│ (loads user from DB, │
│ checks password hash) │
└─────────────────────────────┘
│
▼
┌─────────────────────────────┐
│ Authentication Object │
│ (username, roles, details) │
└─────────────────────────────┘
│
▼
┌─────────────────────────────┐
│ SecurityContextHolder │
│ (stores Authentication for │
│ current thread/request) │
└─────────────────────────────┘
│
▼
┌─────────────────────────────┐
│ Authorization Layer │
│ - AccessDecisionManager │
│ - Voters (RoleVoter, │
│ ExpressionVoter, etc.) │
└─────────────────────────────┘
│
▼
Access Decision
┌───────────┬────────────┐
│ Granted │ Denied │
│ (continue │ (403 │
│ to │ Forbidden) │
│ controller│ │
└───────────┴────────────┘
🔎 Step-by-Step Details
- Request enters Spring Security filter chain
- Every request must pass through all configured security filters.
- Each filter has a responsibility (login handling, JWT validation, exception handling, authorization).
- Authentication process (if required)
- Delegated to the AuthenticationManager.
- The manager asks one or more AuthenticationProviders to validate credentials.
- UserDetailsService & PasswordEncoder
- If username/password authentication:
- Load user from DB (
UserDetailsService).
- Compare passwords with a
PasswordEncoder (e.g., BCrypt).
- Authentication Object created
- If successful, Spring creates an
Authentication object (contains principal, roles, authorities, details).
- SecurityContextHolder
- Stores the
Authentication object in a thread-local SecurityContext.
- Makes it accessible throughout the request lifecycle.
- Authorization
- When accessing protected resources, Spring uses
AccessDecisionManager and voters to decide if access should be granted.
- Example: RoleVoter checks if user has
ROLE_ADMIN.
- Decision outcome
- If allowed → request proceeds to Controller/Service.
- If denied →
403 Forbidden response.
- If authentication missing/invalid →
401 Unauthorized.
