Demystifying How Authentication Works In Spring Security

Spring Security Authentication Flow

In this Post of How Authentication Works In Spring Security , we will cover Authentication Flow in Spring Security . This is going to be a long article as we will be discussing Spring Security Authentication Full Flow .

Spring Security provides comprehensive security services for J2EE-based enterprise software applications.People use Spring Security for many reasons, but most are drawn to the project after finding the security features of J2EE’s Servlet Specification or EJB Specification lack the depth required for typical enterprise application scenarios.

Spring Security Works on Three Core Principles or Steps :-

  1. Authentication
  2. Authorization
  3. Exception handling

We Will See How Spring Initiates and Starts the Whole Authentication Process , but lets discuss Spring Authentication Flow , then we Will deep dive in upcoming Posts.

How Authentication Works In Spring Security :-

So Spring  Security basically is a chain of Servlet filters written for various purposes. Each of those filters are meant to do some specific task .

So there are different authentication mechanisms provided in Spring such as HttpBasic , Form based login , Ouath1 etc . All these mechanisms are handled by Specific Filters Which extends AbstractAuthenticationProcessingFilter  .  So all requests are handle by this Filter and in the Whole Post we will name it as AuthenticationFilter. Have a look at different Filters and its Use cases .

How HTTPBasic Authentication Works In Spring Security :-

Once a Servlet request for HttpBasic Authentication reaches Spring Security , Authentication Filter Picks it up and tries to  decode Http Basic Headers . It then checks if Authentication is required or not . If authentication is required It Creates an  instance of UserNamepasswordAuthenticationToken  with username and token  and sets isAuthenticated(false)   This token is  then passed to AuthenticationManager  as shown in diagram below . 


 How AuthenticationManager authenticates that token we will see in a while .Now the Authenticated value in this step is Still False till UserNamePassWordAuthenticationToken is passed to AuthenticationManager . So Once AuthenticationManager Processes the Request  with that Token Object  , the status of Authentication value is Changed to true in case of Successful authentication  as shown below else AuthenticationException is thrown.



How Authentication Manager handles Authentication In Spring Security:-

Authentication manager is Responsible for Handling Authentication , using different Authentication providers . We can also use a custom authentication Provider like Databse , LDAP etc. So the Sole responsibilty of AuthenticationProvider is to return an Authentication instance with Principal Object and Granted Authorities Populated .


Have a look at AuthenticationManager Source Code :-


Once a user sends a request it  reaches the right authentication filter based on the authentication mechanism used.Now it extract the given credentials from the request and then using the supplied values UsernamePasswordAuthenticationToken is  created( the authentication object).Then  it calls ‘authenticate’ method of the AuthenticationManager.

The request then passes to AuthenticationProvider and the AuthenticationProvider contains an implementation of UserDetailsService. Spring loads the user information in UserDetailsService  by calling loadbyuserName and compares the username/password combination with the credentials supplied at login.

If the user is valid then AuthenticationManger creates UsernamePasswordAuthenticationToken  instance with follwing Constructor  , setting authenticated =true .

UserNamePasswordAuthenticationToken is the Authentication object which is passed to authenticate method of AuthenticationManager. Have a look how Authentication interface in Spring looks like

Now this Authentication object  is then passed to AuthenticationFilter . AuthenticationFilter Sets the Authentication Object Containing Principal and GrantedAuthorities in SecurityContext  as Show below extending the above diagram.

AuthenticationFilter and SecurityContext

We can configure multiple AuthenticationProviders in Spring Security , that will return Authentication Object if any of them is sucessful .

Spring Security provides a number of AuthenticationProvider implementations,

  1. DaoAuthenticationProvider
  2. CasAuthenticationProvider
  3. X509AuthenticationProvider
  4. JaasAuthenticationProvider
  5. LdapAuthenticationProvider

In next Post We will See How We Can Create Custom AuthenticationProviders in Spring Security  and Explain the Authorization Flow .

Now that You have understood the HttpBasic Authentication mechanism in Spring , its same in case of other Authentication Mechanisms in Spring Security . Please let me know in  with Post title in Subject if you have any Questions or clarifications .

Summarizing Authentication Flow Spring Security :-

  • AuthenticationFilter creates an Authentication Request and Passes to AuthneticationManager.
  • AuthenticationManager deligates the request to AuthenticationProvider
  • AuthenticationProvider calls UserDetails service loads the UserDetails and returns the Authenticated Principal.
  • AuthenticationManager returns the Authenticated Object to AuthenticationFilter and AuthenticationFilter sets the Authentication object in Security Context .

Note :- If you think closely we dont need an UserDetailsService as well , the only things that is needed to AuthenticationProvider is an Authentication object with Principal as any Object and GrantedAuthorities .

This is the beauty of Spring Framework , where you always have an option to customize stuff.

Article Written and Published By :- Subrat Padhi .













Please enter your comment!
Please enter your name here