Spring Security, is a flexible and powerful authentication and access control framework to secure Spring-based Java web applications. In this blog i would like to cover the internal architecture of the core modules of spring security.

  • Authentication
  • Authorization
  • Exception Handling

In part 1 of this blog mainly I cover the Authentication module and will cover the rest of the modules in follow up blogs.


Spring security supports multiple types of logins. Here I am going to cover Form based login. The below diagram describes the flow of the form based login.

UsernamePasswordAuthenticationFilter handles the authentication request which extends from AbstractAuthenticationProcessingFilter.

For form based login, your login form must present two parameters to this filter: “username” and “password“. And this filter by default responds to the URL “/login“. But if you would like to have different parameters and different URL, then you have to have your custom filter which extends from UsernamePasswordAuthenticationFilter and have to override the attemptAuthentication() method.


AbstractAuthenticationProcessingFilter : –

This filter has following abstract method which is implemented by UsernamePasswordAuthenticationFilter.

  • This filter does the following operations.
    • First it checks for whether authentication is required or not based on our HttpSecurity configuration. If authentication is not required, it simply invoke the next filter in the chain.
    • If authentication requires, then it calls the attemptAuthentication(request, response) which is implemented by UsernamePasswordAuthenticationFilter and this method returns the Authentication object.


  • In attemptAuthentication method first it obtains the username & password from the request.
  • Then it constructs the UsernamePasswordAuthenticationToken using the below code. Which is nothing but “Authentication” object.

This Authentication object will be as mentioned below.

  • So once it build the UsernamePasswordAuthenticationToken/Authentication object, then it invokes the authenticate() method of “Authentication Manager”. Means this filter delegates the job to the “AuthenticationManager”.



  • ProviderManager is the implementation of AuthenticationManager and which has the following method.

         public Authentication authenticate(Authentication authentication);


  • ProviderManager iterates through all the provided/configured Authentication providers and delegate the actual Authentication job to Authentication providers.



  • There are many implementations for AuthenticationProvider. One of the implementation is DAOAuthenticationProvider. Which extends from the AbstractUserDetailsAuthenticationProvider.
  • As mentioned above AuthenticationManager delegates the job to AuthenticationProvider to authenticate the user. To this AuthenticationProvider we can pass/inject the following information.
    • UserDetailsService
    • Salt
    • PasswordEncoder


  • Which is responsible to load the actual user details which means UserDetails object. We will have our custom implementation of UserDetailsService to load or retrieve the UserDetails object either from internal memory or from Database.



  • We have multiple implementations of Password Encoder like
    • MD4PasswordEncoder
    • MD5PasswordEncoder
    • ShaPasswordEncoder
    • PlaintextPasswordEncoder
  • We can have our own implementation of password encoder. Here i’m providing custom implementation of password encoder.



Salt is a random Byte [] array. We can generate the salt as mentioned below.


Now finally AuthenticationProvider authenticate the user and build the “Authentication” object and return to the AuthenticationManager. Here i have mentioned some of the code blocks which helps you to understand the flow in detail.


This method retrieves the UserDetails object from DB using custom implementation of UserDetailsService.


This method checks whether the provided password is valid or not.


Once password validated successfully, this method creates the Authentication object with Authorities and sets the isAuthenticated flag as true.

  • createSuccessAuthentication method creates the following Authentication object.

  • AuthenticationProvider returns the Authentication object to AuthenticationManager.
  • In the above mentioned Authentication process if Authentication fails, then filter clears the Security context and invokes the failure-handler.

  • If it successfully gets the Authentication object then it does following things.
    • It stores the Authentication object in the SecurityContextHolder.
    • And it invokes the success-handler.


I’ll cover Authorization and Exception handling modules in part 2. Which i’m going to publish soon.

Happy Blogging…:)