Spring Security Overview: Core Features, Principles, Access Control Methods, Role vs Authority, Password Encryption, and Username/Password Authentication Flow

Spring Security is a security framework based on the Spring ecosystem that provides comprehensive solutions such as authentication, authorization, attack protection, session management, and monitoring.

Its core functions include:

Authentication : supports form login, HTTP Basic, OAuth2, and can integrate with many identity providers.

Authorization : offers role‑based, expression‑based, and other authorization strategies.

Attack protection : includes CSRF protection, injection defenses, etc.

Session management : token handling, concurrency control.

Monitoring and management : access logging, auditing.

Spring Security works by configuring security rules and a filter chain that intercepts requests, creates a SecurityContext after successful authentication, and uses it for subsequent authorization decisions.

Principle of Spring Security

The framework adds custom filters to the servlet filter chain. When a request arrives, the filters attempt to obtain authentication information; if none is present, a login page is shown. After successful credential verification, an authenticated SecurityContext is stored and used for later access checks.

Methods to control request access

permitAll() : allow any request without authentication.

denyAll() : block all requests.

anonymous() : allow only unauthenticated users.

authenticated() : require authentication but no specific role.

hasRole(String role) : require a specific role (prefixed with ROLE_ ).

hasAnyRole(String... roles) : require at least one of several roles.

hasAuthority(String authority) : require a specific authority without a prefix.

hasAnyAuthority(String... authorities) : require at least one of several authorities.

Difference between hasRole and hasAuthority

hasRole checks for a role name that is automatically prefixed with ROLE_ , e.g., ROLE_ADMIN . hasAuthority checks for a plain authority string without any prefix. Example configuration:

.antMatchers("/admin/**").hasRole("ADMIN")
.antMatchers("/reports/**").hasAuthority("VIEW_REPORTS")

Password encryption

Spring Security uses a PasswordEncoder to hash passwords. Common implementations include BCryptPasswordEncoder , SCryptPasswordEncoder , and StandardPasswordEncoder . The typical steps with BCryptPasswordEncoder are:

Add the spring-security-crypto dependency in pom.xml . <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-crypto</artifactId> <version>5.6.1</version> </dependency>

Declare a bean in a configuration class: @Configuration public class SecurityConfig extends WebSecurityConfigurerAdapter { @Bean public PasswordEncoder passwordEncoder() { return new BCryptPasswordEncoder(); } // ... }

Use the encoder where passwords are processed: @Service public class UserServiceImpl implements UserService { @Autowired private PasswordEncoder passwordEncoder; @Override public User register(User user) { String encodedPassword = passwordEncoder.encode(user.getPassword()); user.setPassword(encodedPassword); return user; } // ... }

Username‑password authentication flow

Credentials can be obtained via form login, HTTP Basic, or other mechanisms from the HttpServletRequest . The authentication process involves:

User requests a protected resource.

Spring Security intercepts the request and checks for an existing authentication.

If unauthenticated, the user is redirected to a login page.

The UsernamePasswordAuthenticationFilter captures the submitted credentials and creates an Authentication token.

The AuthenticationManager validates the token against a user store (in‑memory, database, LDAP, etc.) and builds a UserDetails object.

On success, an authenticated Authentication object is stored in the SecurityContextHolder and the user is redirected to the originally requested URL.

Subsequent requests are authorized based on the roles/authorities present in the security context.

Overall, Spring Security combines filter‑based request interception with configurable authentication providers and authorization rules to protect backend applications.