Spring Security - Behind the Curtain

A comprehensive guide to decode the Architecture


4 min read

Spring Security - Behind the Curtain

This article focuses on an in-depth architectural overview of Spring Security. I can confidently say that this is one of the best breakdowns you have ever encountered on Spring Security, but there are some prerequisites that you should have before moving forward. They are:

1. Understanding of Servlets
2. What is a Request and Response
3. Understanding of MVC Architecture
4. What is a Front Controller

Assuming you've got the foundational blocks in place, we're about to unwrap the intricate architecture of Spring Security.

The Breakdown 💥

1. Servlet Filter Chain

  • The FilterChain is a component of the servlet container that plays a fundamental role in the Standard Servlet Request Processing Pipeline. The FilterChain contains a list of Filter objects in a proper sequential order.

  • Each filter in the filter chain performs a validation or customization logic on the incoming requests. This helps in assuring the authenticity of the incoming requests. e.g.,

    • Validation Filters: Verifying request content type, method type, authentication, authorization, parameters, etc.

    • Logging filters: for tracking request details.

    • Encryption filters: for secure data transmission.

    • Authentication filters: for user login and access control (usually added on the server side).

  • Any request that is coming from the client passes through the FilterChain of the Servlet Container, once the request passes through all the Filters, it proceeds to the Front Controller. The Front Controller then takes charge of routing the request to the appropriate resource for further handling and response generation.

Servlet FilterChain diagram

2. DelegationFilterProxy

  • DelegationFilterProxy is the Spring-Managed custom filter, it implements the Filter interface of javax-servlet-api.

  • DelegatingFilterProxy helps in delegating the request filtering process to another bean responsible for managing the Spring Security filters.

  • This step is very crucial in a Spring Security-driven application since the servlet container doesn't understand Spring Beans and their configuration.

DelegationFilterProxy diagram

3. Filter Chain Proxy

  • The FilterChainProxy is responsible for managing a list of SecurityFilterChain beans.

  • When a request enters DelegatingFilterProxy it further delegates the filtering process to the FilterChainProxy.

  • The FilterChainProxy iterates over the list of SecurityFilterChain beans and tries to find a match (based on the URL pattern) for the current request.

  • If a match is found, then the FilterChainProxy delegates the request to the SecurityFilterChain.

Security Filter chain Diagram

4. Security Filter Chain

  • The SecurityFilterChain contains a list of Filter objects that are specific to the security requirements of the request.

  • Each SecurityFilterChain iterates through its list of filters, sequentially executing them.

  • If any filter in the SecurityFilterChain returns a negative response, the request is denied.

  • If all filters in the SecurityFilterChain pass successfully, the request proceeds to the next filter or servlet responsible for handling it.

5. UsernamePasswordAuthenticationFilter

  • UsernamePasswordAuthenticationFilter is one of the filters of SecurityFilterChain, which by default does In-Memory authentication to a default username user and a randomly generated password that gets printed in the console. This is done to set up the project quickly but it is not recommended to be used.

  • This In-Memory authentication behaviour is what we have seen in the previous article Spring Security - The Magic First Approach of this series. Where Spring Security by default had a user named user and generated the password during the application startup.

Authentication Architecture

Note: The following architecture diagram represents the authentication mechanism for the user data present in the database.

  • The request from the client passes through the Servlet FilterChain and the DelegatingFilterProxy delegates the request to the SecurityFilterChain.

  • The SecurityFilterChain delegates the request object to the UsernamePasswordAuthenticationFilter, which generates a UsernamePasswordAuthenticationToken using user credentials.

  • The UsernamePasswordAuthenticationToken is later passed to the AutheticationManager, It contains a list of AutheticationProviders each containing its Authentication logic.

  • The AutheticationProvider is generally an interface implemented by DaoAutheticationprovider to validate the user credentials against the database.

  • If the user is successfully authenticated, the UsernamePasswordAuthenticationToken is further populated and

  • The authentication object is set to SecurityContext of SecurityContextHolder.

  • The SecurityContext holds the authentication object throughout the request processing time. One SecurityContextHolder can hold only one SecurityContext at a time.


In conclusion, this article provides a comprehensive analysis of Spring Security's architecture, offering valuable insights into its core functionalities. By delving into the key components of Spring Security such as the Servlet Filter Chain, DelegationFilterProxy, Filter Chain Proxy, Security Filter Chain, and UsernamePasswordAuthenticationFilter, the article facilitates a thorough understanding of Spring Security's authentication management. With its clear explanations and illustrative diagrams, this article serves as a valuable resource for developers seeking to implement robust security measures within their Spring applications.

The subsequent article in this series will explore the practical implementation of Spring Security for database-based authentication. Feel free to leave a comment for any queries or to engage in discussion related to this topic.