Question 1

How does Spring Security authentication work internally?

Accepted Answer

In my flow, a request enters the SecurityFilterChain and eventually hits UsernamePasswordAuthenticationFilter for form login. That filter creates an Authentication object (UsernamePasswordAuthenticationToken) with authenticated=false and forwards it to the AuthenticationManager. ProviderManager delegates to DaoAuthenticationProvider, which loads the user via UserDetailsService and validates the password via PasswordEncoder. If everything matches, Spring returns a new authenticated token and stores it in the SecurityContext.

Question 2

What is SecurityFilterChain and FilterChainProxy in Spring Security?

Accepted Answer

SecurityFilterChain is the ordered list of security filters that process your request, and each filter has one specific job. FilterChainProxy is the routing component that decides which chain should handle the request based on your configuration. One app can have multiple chains—for example, one for “/api/**” and another for everything else.

Question 3

Why do I get 401 or 403 in Spring Security, and which filter triggers it?

Accepted Answer

If a request fails a filter-specific check, that filter can immediately reject the request and return 401 or 403. In my debugging walkthrough, AuthorizationFilter is where you clearly see “access denied” when isGranted is false. That’s the point where Spring checks whether the authenticated user has the required roles/permissions for the resource.

Question 4

What does UsernamePasswordAuthenticationFilter do during login?

Accepted Answer

It reads the username and password parameters from the login request, trims them, and creates a UsernamePasswordAuthenticationToken. At creation time, authenticated is explicitly set to false because verification hasn’t happened yet. Then it calls authenticationManager.authenticate(...) to hand off verification to providers.

Question 5

What is AuthenticationManager vs ProviderManager in Spring Security?

Accepted Answer

AuthenticationManager is the interface, and ProviderManager is the default implementation you commonly see in real apps. ProviderManager doesn’t validate credentials by itself—it iterates through a list of AuthenticationProvider implementations. It delegates to the first provider that supports the Authentication type and returns the result.

Question 6

How does DaoAuthenticationProvider validate username and password?

Accepted Answer

DaoAuthenticationProvider loads the user by username using UserDetailsService and then performs password verification using PasswordEncoder. The raw password comes from the Authentication object, while the stored password is hashed in the user details. If PasswordEncoder.matches(...) fails, you’ll get a BadCredentialsException; if it passes, authentication succeeds.

Question 7

Where does Spring Security store the authenticated user after login?

Accepted Answer

After successful authentication, the filter stores the authenticated token in the SecurityContext. In a typical session-based setup, it’s tied to a session ID created for the browser. On the next request, an early filter restores authentication from the session so the AuthenticationManager is bypassed.

Spring Security Internal Architecture: How Authentication Actually Works

🛍️ Products Mentioned (3)

GitHub

Join Discord

(free guide) Secure 3 Spring Boot endpoints in 30 minutes

About This Video

Frequently Asked Questions

🎬 More from Learn With Ifte