Mainly in the security filter chain, before the request reaches controllers. Filters build the `SecurityContext` (authentication), then authorization checks decide if access is allowed (URL rules, method security, etc.).