Springhard

Spring Security — where do authentication/authorization happen?

Answer

Mainly in the security filter chain, before the request reaches controllers. Filters build the `SecurityContext` (authentication), then authorization checks decide if access is allowed (URL rules, method security, etc.).

Advanced answer

Deep dive

Spring Security sits in front of your MVC layer as a chain of servlet filters (Security Filter Chain). Every request flows through filters before hitting controllers.

Authentication

A filter extracts credentials (session, basic auth, JWT bearer token, etc.).
`AuthenticationManager` delegates to one or more `AuthenticationProvider`s.
On success, an `Authentication` is stored in `SecurityContextHolder`.

Authorization

Authorization decisions are made for each request (and sometimes per method call) based on:

URL rules (`authorizeHttpRequests`), and/or
method security (`@PreAuthorize`, `@PostAuthorize`).

Example

@Bean
SecurityFilterChain security(HttpSecurity http) throws Exception {
  return http
    .authorizeHttpRequests(a -> a
      .requestMatchers("/admin/**").hasRole("ADMIN")
      .anyRequest().authenticated())
    .build();
}

@PreAuthorize("hasRole('ADMIN')")
void deleteUser(long id) { /* ... */ }

Common pitfalls

Assuming authorization is checked only once at login (it’s evaluated per request / per method).
Misunderstanding CSRF defaults in browser-based apps.