Easy learning with example program codes

spring security architecture diagram

Spring security

Spring security is a flexible and powerful authentication and authorization framework to create secure J2EE-based Enterprise Applications.

Authentication: It is a process or action of verifying the identity of a user or process i.e. who are you?

Authorization: It is a process of checking the authority of a user to perform actions in the application i.e. what are you allowed to do?

Spring security architecture diagram

Spring security

Spring Security Authentication

Spring security provides AuthenticationManager interface for authentication process. It has only one method.

public interface AuthenticationManager {
  Authentication authenticate(Authentication authentication) throws AuthenticationException;

The authenticate() method can return an Authentication if the input represents a valid principal. Normally it returns authenticated=truefor the above mention case. It will throw an AuthenticationException if the input represents an invalid principal. It will return null if it can’t decide whether the input value is valid or invalid.

The ProviderManager is the most common implementation of AuthenticationManager. It delegates to a chain of AuthenticationProvider objects. It has an optional parent. It can consult to it if all providers return null. AuthenticationException will be thrown if no parent is available.

AuthenticationProvider is like an AuthenticationManager only difference is that it has an extra method. This extra method allow the caller to query if it supports a given Authentication type.

public interface AuthenticationProvider {
	Authentication authenticate(Authentication authentication)
			throws AuthenticationException;
	boolean supports(Class<?> authentication);

Note: In an application we may have logical groups of protected resources. For example all web resources that match a path pattern /app/**. In such situations each group can have its own dedicated AuthenticationManager. These dedicated AuthenticationManager instances can share a common parent which will act like a global resource.

Spring security framework provides the facility to customize the Authentication Managers with the help of AuthenticationManagerBuilder.

public class ApplicationSecurity extends WebSecurityConfigurerAdapter {
   // Our code statements
  public initialize(AuthenticationManagerBuilder builder, DataSource dataSource) {

Note: Spring boot comes with a default global AuthenticationManager which is secure enough on its own. We can replace it by providing your own bean of type AuthenticationManager.

Spring Security Authorization or Access Control

Authorization process starts when authentication process completes. AccessDecisionManager interface is the core entity in the authorization process. Spring security framework provides three implementations of AccessDecisionManager interface and all three delegate to a chain of AccessDecisionVoter.

The AccessDecisionVoter takes an Authentication and a secure Object. The secure Object has been decorated with ConfigAttribute.

boolean supports(ConfigAttribute attribute);
boolean supports(Class<?> clazz);
int vote(Authentication authentication, S object,
        Collection<ConfigAttribute> attributes);

A ConfigAttribute represents a metadata for secure object. This metadata determine the level of permission required to access it. ConfigAttribute can be like name of user role.

Web Security

Spring security uses servlet filters to provide the web security. Servlet filters are the objects which are used to perform some filtering task. Spring security provides FilterChainProxy interface to perform web security.

Note: Spring Boot application uses the security filter as a @Bean in the ApplicationContext. It is applied to the all requests by default. Default position where this default filter will install is SecurityProperties.DEFAULT_FILTER_ORDER.

Method Security

Spring security also provide the feature of method security i.e. it provides the support for applying access rules to Java method executions. To allow method security, we have to enable method security. Normally, we do it on top level or module level configuration for our app. For a secure method, caller have to go through with the security check first. If caller satisfy the check, method will execute otherwise caller will get AccessDeniedException.

public class TestService {
  public String secureMethod() {
    return "Hello Method Security";

Spring Tutorial

Spring framework.
Spring framework architecture.
Spring ioc container.
Spring bean.
Spring bean scopes.
Spring bean life cycle.
Spring callback methods.
Spring hello world.
Spring bean definition inheritance.
Spring bean definition template.
Spring dependency injection.
Spring constructor based injection.
Constructor injection type ambiguities.
Setter based dependency injection.
Spring dependency injection collections.
Spring autowire
Spring autowire by name
Spring autowire by type
Spring autowire by constructor
Spring JDBC tutorial
Spring JDBC Prepared Statement
Spring ResultSetExtractor
Spring RowMapper
Spring aop tutorial.
Spring AOP AspectJ Xml.
Spring AOP AspectJ Annotation.
Spring MVC tutorial.
Spring mvc framework.
Spring mvc configuration file.
Spring mvc hello world.
Spring MVC multiple controller.
Spring MVC login.
Spring mvc form handling.
Spring mvc exception handling.
Spring spel tutorial.
Spring spel hello world.
Spring spel operators.
Spring spel ternary operator.
Spring spel standardevaluationcontext.
Spring spel bean reference.
Spring spel method invocation.
Spring spel list, map.
Spring spel regex.
Maven Eclipse Spring
Spring boot overview
Spring boot architecture diagram
Spring boot components
Spring boot starter parent
Spring boot web app configuration
Run spring boot application
Spring boot change port
Spring boot change context path
Spring boot log sql statements
Spring boot hello world
Spring boot JSP
Spring boot thymeleaf
Spring boot with mysql
Spring security overview
Spring security architecture
Spring security maven dependency
Spring security xml
Spring security annotation
Spring security custom login xml
Spring security custom login annotation
Spring security form login
Spring security remember me
Spring security method level

Industrial Training

We offers Placement Oriented Training on Java, Spring, JSF, Hibernate, PHP, AngularJS, Angular 4, PLSQL, Oracle BI Publisher etc. We also provides Online training, please mail us at


We also provides the Development services for Website Development , Java Development, PHP Development, Android App Development etc. You can contact us on

Copyright © 2019 CodesJava Protection Status SiteMap Reference: Java Wiki