Spring Security
Spring Security is the standard authentication and authorization framework for Spring applications. Its filter-chain architecture intercepts every HTTP request and applies security rules before the request reaches your controller. Understanding the security filter chain, OAuth2 flows, and JWT validation is essential for building production-grade APIs and for passing system-design interviews.
What You'll Find Here
Notes are being added. Planned topics:
| Topic | Description |
|---|---|
| Security Filter Chain | How the chain of OncePerRequestFilter instances intercepts and processes requests. |
| Authentication | UserDetailsService, PasswordEncoder (BCrypt), authentication providers. |
| Authorization | Role- and permission-based access with @PreAuthorize, @Secured, hasRole. |
| OAuth2 & OIDC | Resource server, authorization server, OpenID Connect flows. |
| JWT | Token structure, validation, signing (symmetric vs. asymmetric), expiry handling. |
| CSRF & CORS | Default CSRF protection; CORS configuration for SPA-to-API communication. |
Learning Path
- Security Filter Chain — start here; the filter-chain mental model explains why security is applied universally.
- Authentication —
UserDetailsService+PasswordEncoderis the minimal secure auth setup. - Authorization —
@PreAuthorizewith SpEL expressions is clean and testable; prefer it over URL matchers. - JWT — understand token structure (header.payload.signature) and stateless auth before tackling OAuth2.
- OAuth2 & OIDC — this is the real-world auth pattern for API security; know the difference between authorization code, client credentials, and implicit flows.
Related Domains
- Spring Boot —
spring-boot-starter-securityauto-configures a default security setup. - Web & REST — CORS configuration and stateless REST security are web-layer concerns.
- Spring Framework — Spring Security's AOP method security builds on Spring AOP.