Spring Security
Spring Security is the standard authentication and authorization framework for Spring applications. Its filter-chain architecture intercepts every HTTP request and applies security rules before the request reaches your controller. Understanding the security filter chain, OAuth2 flows, and JWT validation is essential for building production-grade APIs and for passing system-design interviews.
Notes in This Domain
| Note | Description |
|---|---|
| Security Filter Chain | How the ordered chain of servlet filters intercepts every request — DelegatingFilterProxy, FilterChainProxy, SecurityContextHolder, and custom filter registration. |
| Authentication | Verifying who the user is — UserDetailsService, BCryptPasswordEncoder, AuthenticationManager, DaoAuthenticationProvider, and wiring a custom login endpoint. |
| Authorization | Controlling what users can do — URL-based rules with requestMatchers, method-level security with @PreAuthorize/@PostAuthorize, SpEL expressions, and custom PermissionEvaluator. |
| JWT | JSON Web Token structure, symmetric vs. asymmetric signing, Spring Security resource server validation, claims-to-authorities conversion, and refresh token patterns. |
| OAuth2 & OIDC | Authorization Code, Client Credentials, and PKCE flows — configuring Spring Boot as an OAuth2 client (social login) and resource server (JWT API). |
| CSRF & CORS | CSRF protection and when to disable it for REST APIs; CORS preflight configuration to allow SPA-to-API communication without 401/403 errors. |
Learning Path
- Security Filter Chain — start here; the filter-chain mental model explains why security is applied universally to every request.
- Authentication —
UserDetailsService+BCryptPasswordEncoderis the minimal secure auth setup; understand how credentials become anAuthenticationinSecurityContextHolder. - Authorization —
@PreAuthorizewith SpEL expressions is clean and testable; understand the role/authority distinction before writing access rules. - CSRF & CORS — foundational configuration; most REST API issues involving 403 and missing CORS headers come from misconfiguring these.
- JWT — understand token structure (header.payload.signature) and stateless auth; required reading before tackling OAuth2.
- OAuth2 & OIDC — real-world auth pattern for API security; know the difference between authorization code, client credentials, and PKCE flows.
Related Domains
- Spring Boot —
spring-boot-starter-securityauto-configures a default security setup. - Web & REST — CORS configuration and stateless REST security are web-layer concerns.
- Spring Framework — Spring Security's AOP method security builds on Spring AOP.
Demos
Hands-on, runnable demos for common Spring Security scenarios:
| Demo | What It Shows |
|---|---|
| Security Filter Chain — Practical Demo | Minimal stateless config, custom filters, multiple chains, and TRACE logging examples. |
| Authentication — Practical Demo | JPA UserDetailsService, password hashing at registration, login endpoint, and test patterns with @WithMockUser. |
| Authorization — Practical Demo | URL rules matrix, @PreAuthorize examples, PermissionEvaluator implementation, and authorization tests. |
| JWT — Practical Demo | Token generation (JJWT), JwtService, JwtAuthenticationConverter, and example curl scripts. |
| OAuth2 & OIDC — Practical Demo | Social login (OIDC), OidcUserService persistence, Keycloak resource server, and Client Credentials with WebClient. |
| CSRF & CORS — Practical Demo | Cookie CSRF for SPAs, disabling CSRF for JWT APIs, production CORS config, preflight 401 fix, and MockMvc tests. |