Authentication

Back

Loading concept...

🛡️ Spring Security Authentication: Your App’s Personal Bodyguard

🎭 The Story: Meet Your Nightclub Bouncer

Imagine your Spring application is the coolest nightclub in town. Every night, hundreds of people want to get in. But you can’t let just anyone waltz through the door!

You need a bouncer — someone who:

  1. Checks IDs at the door (Authentication)
  2. Decides who gets VIP access (Authorization)
  3. Follows a strict checklist (Security Filter Chain)

Spring Security is that bouncer. Let’s meet the entire security team! 🕵️

🔐 Security Fundamentals: The Big Picture

What is Security?

Think of it like your house:

  • Lock on the door = Authentication (proving who you are)
  • Keys for different rooms = Authorization (what you can access)
  • Alarm system = Security monitoring

The Two Big Questions

Spring Security answers two questions for every request:

1. WHO are you? → Authentication
2. WHAT can you do? → Authorization

Real Example

// Someone knocks on your app's door
GET /api/my-account

// Spring Security asks:
// "Who is this person?"
// "Can they see account info?"

Simple Rule: First prove who you are, THEN we check what you can do.

📋 Security Filter Chain Order: The Bouncer’s Checklist

The Concept

Your bouncer doesn’t just wing it. They follow a strict checklist in order!

graph TD
    A["🚪 Request Arrives"] --> B["1️⃣ CORS Filter"]
    B --> C["2️⃣ CSRF Filter"]
    C --> D["3️⃣ Authentication Filter"]
    D --> E["4️⃣ Authorization Filter"]
    E --> F["5️⃣ Exception Handler"]
    F --> G["✅ Your Controller"]

Why Order Matters

Imagine checking VIP status BEFORE checking the ID. Chaos! 😱

The filters run in a specific order:

Order Filter Job
1 CORS “Is this request from an allowed website?”
2 CSRF “Is this form submission legit?”
3 Authentication “Who is this person?”
4 Authorization “Can they access this?”
5 Exception Handler “Something went wrong, handle it nicely”

Code Example

@Bean
SecurityFilterChain filterChain(
    HttpSecurity http) throws Exception {

    http
        .cors()  // Step 1
        .and()
        .csrf()  // Step 2
        .and()
        .httpBasic()  // Step 3
        .and()
        .authorizeHttpRequests();  // Step 4

    return http.build();
}

🎫 Authentication Concepts: Proving Who You Are

The Nightclub Analogy

At our nightclub door:

  1. You show your ID (credentials)
  2. Bouncer checks it against the list (UserDetailsService)
  3. You get a wristband (Authentication token)
  4. Now you can move freely (authenticated session)

Key Players

graph TD
    A["👤 User"] -->|Username + Password| B["🔍 AuthenticationManager"]
    B -->|"Find this user"| C["📋 UserDetailsService"]
    C -->|User found!| D["🔐 PasswordEncoder"]
    D -->|Password matches!| E["✅ Authentication Object"]
    E -->|Stored in| F["🧠 SecurityContext"]

The Authentication Object

When you’re authenticated, Spring creates this:

// What Spring knows about you
Authentication auth = SecurityContextHolder
    .getContext()
    .getAuthentication();

auth.getPrincipal();    // WHO you are
auth.getCredentials();  // HOW you proved it
auth.getAuthorities();  // WHAT you can do

Think of it as your VIP wristband! 🎫

⛓️ SecurityFilterChain: Building Your Bouncer

What is SecurityFilterChain?

It’s your custom bouncer rules. You decide:

  • Which doors need ID checks
  • Which are open to everyone
  • What kind of ID you accept

Basic Example

@Configuration
@EnableWebSecurity
public class SecurityConfig {

    @Bean
    SecurityFilterChain filterChain(
        HttpSecurity http) throws Exception {

        http
            .authorizeHttpRequests(auth -> auth
                // Public doors
                .requestMatchers("/").permitAll()
                .requestMatchers("/login").permitAll()
                // VIP only
                .anyRequest().authenticated()
            )
            .formLogin(Customizer.withDefaults());

        return http.build();
    }
}

Breaking It Down

Code Meaning
@EnableWebSecurity “Turn on the bouncer!”
requestMatchers("/") “For the home page…”
.permitAll() “…let everyone in”
.anyRequest() “For everything else…”
.authenticated() “…check their ID first”

👤 UserDetailsService: The Guest List Manager

The Concept

Remember the guest list at our nightclub? UserDetailsService manages it!

When someone shows their ID, it answers:

  • “Do we know this person?”
  • “What’s their password?”
  • “What access level do they have?”

Simple Implementation

@Service
public class MyUserService
    implements UserDetailsService {

    @Override
    public UserDetails loadUserByUsername(
        String username) {

        // Find user in database
        User user = userRepo
            .findByUsername(username)
            .orElseThrow(() ->
                new UsernameNotFoundException(
                    "User not found"));

        // Return user details
        return new org.springframework.security
            .core.userdetails.User(
                user.getUsername(),
                user.getPassword(),
                user.getAuthorities()
            );
    }
}

What UserDetails Contains

graph TD
    A["🎫 UserDetails"] --> B["Username"]
    A --> C["Password - encoded!"]
    A --> D["Authorities/Roles"]
    A --> E["Account Status"]
    E --> F["Is Enabled?"]
    E --> G["Is Not Expired?"]
    E --> H["Is Not Locked?"]

🔒 Password Encoding: Never Store Plain Passwords!

The Golden Rule

NEVER store passwords as plain text. Ever. Period. 🚫

❌ BAD:  password123
✅ GOOD: $2a$10$N9qo8uLOickgx2ZMRZoMye...

Why Encode?

If someone steals your database:

  • Plain text: They have all passwords instantly 😱
  • Encoded: They have useless scrambled text 😌

BCrypt: The Standard

@Bean
PasswordEncoder passwordEncoder() {
    return new BCryptPasswordEncoder();
}

How It Works

graph LR
    A["password123"] -->|BCrypt| B["$2a$10$N9qo8u..."]
    C["password123"] -->|BCrypt| D["$2a$10$xYz7Kp..."]
    style A fill:#ff6b6b
    style C fill:#ff6b6b
    style B fill:#4ecdc4
    style D fill:#4ecdc4

Notice: Same password, different encoded values! That’s the magic of salting.

Using Password Encoder

// When creating a user
String rawPassword = "password123";
String encoded = passwordEncoder
    .encode(rawPassword);
user.setPassword(encoded);

// When checking password
boolean matches = passwordEncoder
    .matches(rawPassword, encoded);
// Returns true!

⚙️ Authentication Configuration: Putting It All Together

Complete Example

@Configuration
@EnableWebSecurity
public class SecurityConfig {

    @Bean
    PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }

    @Bean
    UserDetailsService userDetailsService() {
        UserDetails user = User.builder()
            .username("user")
            .password(passwordEncoder()
                .encode("password"))
            .roles("USER")
            .build();

        UserDetails admin = User.builder()
            .username("admin")
            .password(passwordEncoder()
                .encode("admin123"))
            .roles("ADMIN")
            .build();

        return new InMemoryUserDetailsManager(
            user, admin);
    }

    @Bean
    SecurityFilterChain filterChain(
        HttpSecurity http) throws Exception {

        http
            .authorizeHttpRequests(auth -> auth
                .requestMatchers("/admin/**")
                    .hasRole("ADMIN")
                .requestMatchers("/user/**")
                    .hasRole("USER")
                .requestMatchers("/public/**")
                    .permitAll()
                .anyRequest()
                    .authenticated()
            )
            .formLogin(Customizer.withDefaults())
            .logout(logout -> logout
                .logoutSuccessUrl("/"));

        return http.build();
    }
}

What This Creates

graph LR
    A["🌐 Any Request"] --> B{Path?}
    B -->|/public/**| C["✅ Let them in"]
    B -->|/user/**| D{Has USER role?}
    B -->|/admin/**| E{Has ADMIN role?}
    B -->|Other| F{Authenticated?}
    D -->|Yes| G["✅ Access granted"]
    D -->|No| H["❌ 403 Forbidden"]
    E -->|Yes| I["✅ Access granted"]
    E -->|No| J["❌ 403 Forbidden"]
    F -->|Yes| K["✅ Access granted"]
    F -->|No| L["🔐 Login page"]

🎯 Quick Reference

Concept Purpose Key Class
Security Fundamentals Foundation of protection Spring Security
Filter Chain Order of security checks SecurityFilterChain
Authentication Proving identity AuthenticationManager
UserDetailsService Finding user info UserDetailsService
Password Encoding Safe password storage BCryptPasswordEncoder
Configuration Setting up rules @EnableWebSecurity

🚀 Your Confidence Boost

You now understand:

✅ Security is about WHO you are and WHAT you can do

✅ Filters run in a specific order — like a bouncer’s checklist

Authentication proves your identity

SecurityFilterChain is your custom security rulebook

UserDetailsService manages user information

Always encode passwords with BCrypt

✅ Configuration ties everything together beautifully

You’ve got the keys to the kingdom! 🏰

💡 Remember This

“Spring Security is like a nightclub bouncer: First, check the ID (Authentication). Then, check the VIP list (Authorization). Always follow the checklist (Filter Chain). Never store passwords in plain sight!”

Now go build something secure! 🔐

Loading story...

Story - Premium Content

Please sign in to view this story and start learning.

Upgrade to Premium to unlock full access to all stories.

Sign In to Access Get Premium Access Close

Stay Tuned!

Story is coming soon.

Story Preview

Story - Premium Content

Please sign in to view this concept and start learning.

Upgrade to Premium to unlock full access to all content.

Sign In to Access Get Premium Access Close