How the Authentication works in Spring Security

Authentication is a process for identifying the users with their proof of identities like username and password. Simply say it will ask the question who you are?. you need to answer that question to verify.

We have seen already how to configure authentication in Spring Boot Application. If you want to know that please click this link Spring Security Authentication. In this article let me explain how this authentication works in Spring Security in a detailed view.

In Spring Boot Application once we added "spring-boot-starter-security" as a dependency then the authentication works automatically. By default, all the URLs are secured and need to authenticate for accessing it.

Let me explain what is happening in the background for an authentication. Before that, we want to know about Filters. Filters play a vital role in the authentication.

Filters and their usages

Filters are intercepting the requests / URLs and mapping the URLs to different servlets to do different jobs. It manipulates the APIs before it reaches the servlet.

Actually, one URL is mapping to one servlet method. But filters can map a wide range of URLs to the servlet.

Delegating Filter Proxy

Delegating Filter Proxy catches all the filters at the entry-level and delegates to another bunch of Spring Security specific filters to do different jobs. if you remove the "spring-boot-starter-security" from dependency then spring security does the filtration work through this Delegating Filter Proxy.

In Spring Boot Application this Delegating Filter Proxy is automatically added. But if you are working with Spring Web MVC then you have to manually add this filter to intercept the requests.

You have to add below code manually in web.xml file.

<filter>
    <filter-name>delegatingFilter</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
    <filter-name>delegatingFilter</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

This filter "/*" maps all the incoming requests and is used to either allow or deny the request based on the configuration.

There are many types of filters available to do different jobs. But in this article, we are seeing only about the authentication right!. So let me discuss only that authentication filter here then we will move to the authentication part directly.

Authentication Filter

Authentication Filter is used to intercepting all the authentication requests and initiate the authentication process.

How the Authentication works in Spring Security

The below step-by-step explanation describes how the authentication flow happens in spring security.

Step : 1

There are several types of authentication available in Spring Boot. Here I choose form login as the login type. So user name and password are the inputs for authentication.

Authentication Filter intercepts the authentication request to check whether the credentials are found or not in the URL and passes it. Then Spring security put that credentials into the Authentication Object.

Step : 2

Authentication object holds the user credentials like username and password and then this object passes to Authentication Provider to authenticate.

An authentication provider is an interface that is responsible for the authentication. We need to implement this interface and configure its authenticate method in an application to do authentication.

Authentication Provider authenticates this Authenticate object and validates the user credentials through the authenticate() method. Once the authentication is successful then it returns the Authentication object with the principal.

The principal is nothing but the information of logged-in users and it does not have the login credentials. If the authentication fails I mean if the user name or password is incorrect then it throws the exception.

Summary of Authentication

Finally, in the authentication process, the Input and Output both are Authentication objects. While input it has the login information (username, password), and while output it has the principal (Information of logged-in users).

This is what authentication works in Spring Security. Here we saw the two interfaces that involve with the authentication process. One is Authentication Provider and another one is Authentication.

Now let us see the method summary of both the interfaces.

Method Summary of Authentication Provider Interface

Modifier and Type	Method and Description
Authentication	authenticate(Authentication authentication) Performs authentication with the same contract as AuthenticationManager.authenticate(Authentication).
boolean	supports(Class<?> authentication) Returns true if this AuthenticationProvider supports the indicated Authentication Object.

There are two methods available in the AuthenticationProvider interface. The method authenticate() of type Authentication takes Authentication object as input and returns the same Authentication object as output. This method is actually doing the authentication.

The method supports() of type boolean takes Authentication object as input and returns the boolean value true or false. This method is used to check whether the Authentication Provider supports this type of authentication or not.

Method Summary of Authentication Interface

Modifier and Type	Method and Description
Collection<GrantedAuthority>	getAuthority() Set by an AuthenticationManager to indicate the authorities that principal has been granted.
Object	getCredentials() The credentials that prove the principal is correct.
Object	getDetails() Stores additional details about the authentication request.
Object	getPrincipal() The identity of the principal being authenticated.
boolean	isAuthenticated() Used to indicate to AbstractSecurityInterceptor whether it should present the authentication token to AuthenticationManager.
void	setAuthenticated(boolean isAuthenticated) Implementations should always allow this method to be called with a false parameter, as this is used by various classes to specify the authentication token should not be trusted.

There are many methods available in Authentication Interface. Each method is used for a different purpose. Here let me explain the major 3 methods which are needed for this article.

getCredentials() - This method is used to get the credentials from the request and put that in the Authentication object. It happens before authentication.

getPrinicipal() - This method is used to get the logged in user information and put that in Authentication object. It happens after authentication that is once the authentication finished successfully.

isAuthenticated() - This method is used to check the status of the authenticated user. If the user is authenticated successfully then it returns true and the Authentication object holds the principal. if not it returns false and the Authentication object holds the user credentials.

Here I explained the authentication process of Spring Security in detailed view for the type of form login (user name, password) authentication.

In the next article how this authentication works if the application is having many types of authentication like Oauth, SSO/LDAP, and Octa.

Hope you understood the concept. Thanks!. Keep Reading!.