Deep Dive into Spring Security Architecture: Authentication, Authorization, and Filter Chains

Spring Security is a powerful authentication and access‑control framework that protects against common attacks (CSRF, XSS, MITM) and offers features like password encoding, LDAP, session management, JWT, and OAuth2.

Because of its extensive feature set and high customizability, the framework is large and upgrades can be disruptive, which often makes it feel difficult for newcomers.

This article focuses on Spring Security 6.1.x used with Spring Boot 3.1.x, explaining its overall architecture and the implementation principles of the authentication and authorization modules.

The basic idea is that Spring Security works as a chain of servlet Filter s placed before the DispatcherServlet . Each filter handles a specific concern, e.g., CsrfFilter , UsernamePasswordAuthenticationFilter , AuthorizationFilter , etc.

Example of a simple custom filter:

public class SimpleSecurityFilter extends HttpFilter {
    @Override
    protected void doFilter(HttpServletRequest request, HttpServletResponse response, FilterChain chain)
            throws IOException, ServletException {
        // (1) extract credentials
        // (2) reject if not authenticated
        // (3) continue the chain
        chain.doFilter(request, response);
    }
}

Multiple filters are combined into a SecurityFilterChain . The default chain ( DefaultSecurityFilterChain ) registers about fifteen filters, each contributing a piece of security functionality.

The DelegatingFilterProxy bridges the servlet container and the Spring container. It delegates to a FilterChainProxy , which selects the appropriate SecurityFilterChain based on request matching rules.

Authentication flow : UsernamePasswordAuthenticationFilter reads username and password from the request, creates a UsernamePasswordAuthenticationToken , and passes it to an AuthenticationManager (usually ProviderManager ). The manager iterates over AuthenticationProvider s (e.g., DaoAuthenticationProvider ) which use a UserDetailsService to load user data and a PasswordEncoder to verify the password. On success, the resulting Authentication object is stored in the SecurityContext .

Authorization flow : Calling http.authorizeHttpRequests(...) registers an AuthorizationFilter . This filter invokes an AuthorizationManager (commonly AuthorityAuthorizationManager ) that checks the required authorities against the Authentication retrieved from the SecurityContext . If the check fails, an AccessDeniedException is thrown.

The framework is highly extensible: developers can replace UserDetailsService , PasswordEncoder , AuthenticationProvider , AuthenticationManager , or even provide custom Filter s, allowing fine‑grained control over security behavior.