Weekend Specials Offer - Upto 50% Off | OFFER ENDING IN: 0 D 0 H 0 M 0 S

Log In to start Learning

Login via

  • Home
  • Blog
  • Explain Spring Security arc...
Post By Admin Last Updated At 2020-06-11
Explain Spring Security architecture and working?

Spring Security is a flexible and powerful Java framework that authenticates, authorizes, and provides different security features to enterprise-level applications. Spring Security is the first choice for any enterprise to implement enterprise-level security. Moreover, it aims to provide an easy implementation for the developer to implement proper security in the application.

It was started in early 2003, by Acegi Security System for Spring to develop a spring-based security system. But in the year 2007, the project has been renamed Spring Security and it was accepted widely. Today, there are lots of users of this security system for web applications.

The existing Spring Security architecture needs Java 5.0 or higher version to run it successfully. It involves a complex architecture that includes two major areas such as Authentication and Authorization. Furthermore, these are the two issues that Spring Security needs to deal with.

Spring Security architecture

The Spring Security includes certain terms. These are Principle, Authentication, and Authorization & Secured Items.

  • The principle refers to the person, device, or user that performs any action.
  • Authentication refers to validating the user's credentials either correct or not.
  • Moreover, the Authorization refers to the decision of allowing a person of the device to perform tasks.
  • Besides, the Secured items refer to the resources that are used in this regard.

Let us understand the Spring Security architecture in brief first and then will elaborate it in detail. Spring Security includes architecture to isolate the authentication from authorization and also includes a strategy and extension points respectively. The Authentication process is accountable for validating the client or user credentials. Such as; it secures the User-id and Password.

Later, AuthenticationManager is an interface accountable for providing Authentication for Spring Security. It offers a useful and simple method to reach the mechanism. The login requests made by the client are forwarded to the Auth filter that simply forwards them to the Authentication Manager. Here, it is checked for its validity and again further processed.

Moreover, there will be a ProviderManager implemented by the Authentication Manager. It delegates the chain of objects of Auth. Provider.

At the end of the Authentication process within Spring Security, the Authorization process begins. The interface Authorization Manager is responsible for providing the Authentication mechanism and also controls the access decisions. This manager provides a useful method, decide() to implement authorization decisions properly based on the information given.

Thus, in this way, the whole process runs with Spring Security. Now we will go into details about it.


Authentication is the process of identifying user needs that he wants to access. Here, it involves the primary part of any access to information where the user gets only what is authenticated. Besides, the Authentication consists of an important part known as the Authentication Manager.

The Authentication Manager under Spring performs several standard things. Furthermore, there are several factors that help in this regard to happen in the process. Here,

  • A screen displays asking user login details like Username and Password.
  • If the username/password is given correctly then it identifies the exact place of information.
  • Here, it shows the list of users' permissions.
  • Moreover, a Security context is established here.
  • After getting validation, the user can proceed to perform his tasks.

Now, it comes the part of Authorization. It refers to the process of giving access control to the user. Here, the Access Decision Manager plays an important role. The method helps to provide access requesting by the object. Moreover, in any web application, this process is done through URL-based security. The spring provides various filters that ensure the security of the application. Besides, the authorization process includes the following. Here,

  • The user sends a request from the home page towards a server. It detects the request well.
  • The server redirects the user's request for authentication to another webpage. Besides, it again redirects a page with authentication information to the user.
  • Moreover, the server identifies that the user credentials are right.
  • Now the user gets access to the required information that he wants.

Furthermore, it offers method-level security to handle this problem. Such that, only certain authorized people can enter the application.

Password Storage

A security framework is mainly useful for protecting system passwords and making them hack free from external sources. Spring security provides a SoftwareEncoder interface that executes the one-way transformation of the password. There are several interfaces that Spring Security offers like; BCryptPasswordEncoder, Argon2 PasswordEncoder, Pbkdf2 PasswordEncoder, SCrypt PasswordEncoder. 

To get more insights from Spring Security architecture to opt for Spring Boot Online Course with industry experts.
Explain Spring Security architecture and working?| ITGuru
Spring Security configuration

In Spring Security, Java configuration support is very much important. Moreover, in Spring Security 3.2 version it is added. So that it allows Spring Security configuration without writing many codes. While deploying Spring Security, the user can eliminate the need for XML security configuration. Instead of this, he can add some annotations to it.

Moreover, we look into the Spring configuration process in the context of the application.

Here, we check the Security web application initializing. The following syntax will show the process.

package com.example; import org.springframework.web.servlet.support.AbstractAnnotationConfigDispatcherServletInitializer; public class MvcWebApplicationInitializer extends AbstractAnnotationConfigDispatcherServletInitializer { @Override protected Class[] getRootConfigClasses() { return new Class[] { WebSecurityConfig.class }; } @Override protected Class[] getServletConfigClasses() { // TODO Auto-generated method stub return null; } @Override protected String[] getServletMappings() { return new String[] { "/" }; } }
Security Filter Chain

In Spring Security, the user needs a lot of filter chains for the web applications that are Spring beans. Moreover, the Spring Security filter bean requires in the application context file when they would be used in the web.xml file. Here, the FilterChainProxy helps us to add an individual entry to the web.xml. Moreover, it deals with the application context file for managing web security beans.


The main purpose of the filter names that are mandatory in this regards are;

  1. Security Context Integrator Filter- It helps to establish Security Context and maintains between the various HTTP requests.
  2. Logout Filter- This filter clears out the Security Context holder while logging out is requested
  3. Username Password Authentication filter- This helps to put Authentication into Security Context upon the login requests.
  4. Translation filter- It helps to convert the Spring Security Exceptions to HTTP redirects.
  5. Filter Security Interceptor- The filter Authorizes various web requests based on the configuration attributes.
  6. Later, we add the delegating filter for the Filter Chain Proxy to the web.xml filter.

The Spring Security maintains all the filter chains internally. Here each filter consists of individual responsibility. Moreover, the filters can be added or removed from the configuration depending upon the requirement.

||{"title":"Master in Spring Boot", "subTitle":"Spring Boot Certification Training by ITGURU's", "btnTitle":"View Details","url":"https://onlineitguru.com/spring-boot-training.html","boxType":"demo","videoId":"17jIMYoRfOA"}||

Method Security

Along with providing security to web applications, the Security system also offers support to apply access rules to the Java method executions. Besides, this is another kind of protected resource. Here the first step of the user is to enable the method security.

Spring Security features

There are many different features of this Security system. Moreover, these include the following features that help the system to implement security well.

  • LDAP or Lightweight Directory Access Protocol is an open-source application protocol. It helps to maintain and access distribution directory information services using IP.
  • JAAS or Java Authentication & Authorization Service is a pluggable module. IAnd the developer can deploy in Java and Spring framework for authentication.
  • Moreover, the Webform authentication helps to validate user credentials from the browser.
  • There is a Single sign-on facility provided by Spring that allows users to access many applications with a single account. The account needs to have a unique ID and password.
  • Spring Security also provides the support for Basic Access Authentication (BAA) which helps in providing User ID & Password. For this, you have to make a request over the network.
  • The feature Digest Access Authentication (DAA) in spring security allows you to make the authentication process more secure than BAA. It receives the confirmation from the browser first before sharing any crucial information over the network.
  • Moreover, there is a remember-me feature supported by the spring security that uses HTTP cookies of the browser. It remembers the user-id and password of the user whenever he logins using the same system or device. In case, he logs out from that it may not be able to remember those credentials.
  • Spring security supports the Webform authentication to be implemented by the users.
  • Further, the software localization feature enables the application to build application UI in any language.
  • The HTTP Auth. feature within spring security helps to author the web request URLs with the help of the Apache Ant path.
  • Moreover, the spring security framework version 4.x provides support to the latest features. Such as; Web-Socket security, Spring data integration support, and CSRF token issue resolver.
  • Spring 4 has different security levels such as Method level and URL Authorization.

Moreover, there are many other features also that makes the system much powerful.

Advantages of using Spring Security

The Spring Security architecture includes various advantages. The following benefits it provides to the users.

  • It supports complex tasks such as authentication and authorization.
  • Besides, this system integrates the Servlet API.
  • Moreover, it’s a portable system of security.
  • The system provides configuration support to the Java Programming language.
  • Besides, it also helps in the integration like Spring MVC
  • This security system offers CSRF protection.
  • Moreover, it also protects against different tasks commonly done.
  • Provides application-level security to web applications.

Moreover, access to certain web pages needs proper authorization also. Moreover, we can restrict access by certain people only. Besides, to control access, it requires some security restrictions at the application level. The Spring helps in this regard very much. Using this framework, users can secure their web applications. Furthermore, Spring is the best security framework for web applications.

Spring Security example

Now you got to know about Spring Security and its features in detail. Later, you will look into a working example using Eclipse IDE in place. In the following example, we are using Java configuration and applying Spring Security without using XML format.

The below-mentioned steps will help to understand the project in detail.

First, build a Spring Security configuration based on Java that uses a Servlet Filter to secure application URLs.

Next, develop the code for registering the “spring Security Filter Chain” for each URL that exists in the application.

Later, load the “WebSecurityConfig” file in the existing Application Initializer. Then add it into the method known getRootConfigClasses().

Now, use the “Web Security ConfigurerAdapter” class to set up HttpSecurity http () including default configuration.

Build a controller to manage the user requests coming through the network.

Finally, run the above-built project and check for the valid credentials in the output.

||{"title":"Master in Spring Boot", "subTitle":"Spring Boot Certification Training by ITGURU's", "btnTitle":"View Details","url":"https://onlineitguru.com/spring-boot-training.html","boxType":"reg"}||


The above writings help us to get an idea of the Spring Security architecture and its workings. The system provides security methods for web applications in different ways by applying Java configurations. It’s a kind of Java framework that helps to implement enterprise-level applications. Besides, every web application needs proper security as it tends to open through different browsers by various users. Moreover, it offers various features and advantages.  This enables the web applications to get secure from external threats if any occur.

To get practical knowledge on the Spring Security and the configurations that are useful one can opt for Spring Boot Online Training. Getting knowledge from industry experts like IT Guru may enhance skills and give away to plan a better career.