Spring Authentication Workflow

📋 Authentication Workflow Overview

▼

Spring Security's authentication workflow is a sophisticated process that involves multiple components working together to verify user credentials and establish security context.

1. Authentication Request

User submits credentials (username/password) through login form or API

↓

2. AuthenticationManager

Central coordinator that delegates authentication to appropriate providers

↓

3. AuthenticationProvider

Handles specific authentication mechanisms (DB, LDAP, OAuth, etc.)

↓

4. UserDetailsService

Loads user information from various data sources

↓

5. Authentication Result

Returns authenticated principal or throws exception

🎮 Interactive Flow Simulation

Click "Start Authentication Flow" to see the process in action...

🎯 AuthenticationManager

▼

The AuthenticationManager is the main interface for authentication in Spring Security. It's responsible for coordinating the authentication process.

Authentication authenticate(Authentication authentication) throws AuthenticationException

🔧 Core Responsibility

Acts as the central coordinator for authentication. It doesn't perform authentication itself but delegates to registered AuthenticationProviders.

🏗️ Implementation

Most commonly implemented by ProviderManager, which maintains a list of AuthenticationProviders and tries each one until success or all fail.

⚡ Key Features

Supports authentication erasure, parent authentication managers, and authentication event publishing.

@Component
public class CustomAuthenticationManager implements AuthenticationManager {
    
    @Autowired
    private List<AuthenticationProvider> providers;
    
    @Override
    public Authentication authenticate(Authentication authentication) 
            throws AuthenticationException {
        
        for (AuthenticationProvider provider : providers) {
            if (provider.supports(authentication.getClass())) {
                try {
                    Authentication result = provider.authenticate(authentication);
                    if (result != null) {
                        return result;
                    }
                } catch (AuthenticationException e) {
                    // Log and continue to next provider
                    lastException = e;
                }
            }
        }
        
        throw new ProviderNotFoundException("No suitable provider found");
    }
}

🧪 AuthenticationManager Demo

🔍 AuthenticationProvider

▼

The AuthenticationProvider interface defines the contract for authentication providers that handle specific authentication mechanisms.

Authentication authenticate(Authentication authentication) throws AuthenticationException

boolean supports(Class<?> authentication)

🎭 authenticate() Method

Performs the actual authentication logic. Returns a fully authenticated Authentication object with credentials cleared, or null if the provider cannot authenticate.

✅ supports() Method

Determines whether this provider can handle the given Authentication type. This allows for multiple providers handling different authentication mechanisms.

🔄 Common Implementations

DaoAuthenticationProvider (database), LdapAuthenticationProvider (LDAP), JwtAuthenticationProvider (JWT tokens), etc.

@Component
public class CustomDaoAuthenticationProvider implements AuthenticationProvider {
    
    @Autowired
    private UserDetailsService userDetailsService;
    
    @Autowired
    private PasswordEncoder passwordEncoder;
    
    @Override
    public Authentication authenticate(Authentication authentication) 
            throws AuthenticationException {
        
        String username = authentication.getName();
        String password = authentication.getCredentials().toString();
        
        // Load user details
        UserDetails userDetails = userDetailsService.loadUserByUsername(username);
        
        // Verify password
        if (!passwordEncoder.matches(password, userDetails.getPassword())) {
            throw new BadCredentialsException("Invalid credentials");
        }
        
        // Create successful authentication
        return new UsernamePasswordAuthenticationToken(
            userDetails, null, userDetails.getAuthorities());
    }
    
    @Override
    public boolean supports(Class<?> authentication) {
        return UsernamePasswordAuthenticationToken.class.isAssignableFrom(authentication);
    }
}

🔬 Provider Methods Demo

1

2

3

4

👤 UserDetailsService

▼

The UserDetailsService is a core interface that defines how to retrieve user information. It provides an abstraction layer over different user identity stores.

UserDetails loadUserByUsername(String username) throws UsernameNotFoundException

🎯 Primary Purpose

Provides a standard way to load user-specific data during authentication. It's the bridge between Spring Security and your user data source.

🔄 Data Source Abstraction

Can load users from databases, LDAP, memory, web services, or any custom source. Implementation details are hidden behind this interface.

📊 UserDetails Contract

Returns UserDetails object containing username, password, authorities, and account status flags (enabled, expired, locked).

@Service
public class CustomUserDetailsService implements UserDetailsService {
    
    @Autowired
    private UserRepository userRepository;
    
    @Override
    public UserDetails loadUserByUsername(String username) 
            throws UsernameNotFoundException {
        
        // Fetch user from database
        User user = userRepository.findByUsername(username)
            .orElseThrow(() -> new UsernameNotFoundException(
                "User not found: " + username));
        
        // Convert to Spring Security UserDetails
        return org.springframework.security.core.userdetails.User.builder()
            .username(user.getUsername())
            .password(user.getPassword())
            .authorities(user.getRoles().stream()
                .map(role -> new SimpleGrantedAuthority("ROLE_" + role.getName()))
                .collect(Collectors.toList()))
            .accountExpired(!user.isAccountNonExpired())
            .accountLocked(!user.isAccountNonLocked())
            .credentialsExpired(!user.isCredentialsNonExpired())
            .disabled(!user.isEnabled())
            .build();
    }
}

🎪 UserDetailsService Demo

// Custom UserDetails implementation
public class CustomUserDetails implements UserDetails {
    private String username;
    private String password;
    private List<GrantedAuthority> authorities;
    private boolean enabled;
    private boolean accountNonExpired;
    private boolean credentialsNonExpired;
    private boolean accountNonLocked;
    
    // Constructor and getters...
    
    @Override
    public Collection<? extends GrantedAuthority> getAuthorities() {
        return authorities;
    }
    
    @Override
    public boolean isEnabled() {
        return enabled;
    }
    
    // Other UserDetails methods...
}

🔗 Complete Integration Example

▼

Here's how all components work together in a complete Spring Security configuration:

📌 Diagram inspired by JavaInUse Spring Security JWT Series (Chapter 3)

@Configuration
@EnableWebSecurity
public class SecurityConfig {
    
    @Autowired
    private CustomUserDetailsService userDetailsService;
    
    @Bean
    public AuthenticationManager authenticationManager(
            AuthenticationConfiguration config) throws Exception {
        return config.getAuthenticationManager();
    }
    
    @Bean
    public AuthenticationProvider authenticationProvider() {
        DaoAuthenticationProvider provider = new DaoAuthenticationProvider();
        provider.setUserDetailsService(userDetailsService);
        provider.setPasswordEncoder(passwordEncoder());
        return provider;
    }
    
    @Bean
    public PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }
    
    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        http
            .authorizeHttpRequests(auth -> auth
                .requestMatchers("/login", "/register").permitAll()
                .anyRequest().authenticated()
            )
            .formLogin(form -> form
                .loginPage("/login")
                .defaultSuccessUrl("/dashboard")
            )
            .authenticationProvider(authenticationProvider());
        
        return http.build();
    }
}
                

                
                    🎯 Complete Flow Demonstration

🔐 Spring Authentication Workflow