A comprehensive and clear table covering the key Spring Security components
| Component | Type | Responsibility | Common Use / Notes | Relations |
|---|---|---|---|---|
SecurityContextHolder |
Class | Stores the current SecurityContext per thread (per request). |
Used to retrieve the authenticated user globally. | β Holds SecurityContext β Contains Authentication |
SecurityContext |
Interface | Represents the security state of the application (i.e. who is authenticated). | Always accessed via SecurityContextHolder.getContext() |
β Contains Authentication |
Authentication |
Interface | Represents the authentication token. Holds principal, credentials, authorities, etc. |
Returned by authentication mechanisms, set into the SecurityContext. |
β Contains: Principal, Credentials, Collection<GrantedAuthority> |
GrantedAuthority |
Interface | Represents a permission/role. | Abstract interface for authorities like "ROLE_ADMIN", "READ_PRIVILEGE" |
β Implemented by SimpleGrantedAuthority |
SimpleGrantedAuthority |
Class | Default implementation of GrantedAuthority with a simple String authority. |
Most common way to represent roles or permissions. | β Constructed from strings like "ROLE_USER" |
Principal |
Interface | Represents the user. | From java.security.Principal; Authentication extends this interface. |
β Typically a domain User or UserDetails object |
AuthenticationManager |
Interface | Validates the authentication request. | Not used directly in OAuth2 Resource Server, but critical in login-based setups. | β Calls AuthenticationProvider.authenticate(...) |
AuthenticationProvider |
Interface | Performs actual authentication logic. | Multiple providers can be chained in ProviderManager. |
β Returns a valid Authentication object |
UserDetails |
Interface | Stores user-specific information (username, password, authorities). | Used in login-based security. Not used directly in stateless JWT systems. | β Often returned from UserDetailsService |
UserDetailsService |
Interface | Loads user details by username. | Used in form login + stateful auth scenarios, not required in JWT flows. | β Provides UserDetails to AuthenticationProvider |
JwtDecoder |
Interface | Decodes and validates JWT tokens. | Used in OAuth2 Resource Server to extract claims and validate signature. | β Returns a Jwt object that wraps token claims |
Jwt |
Class | Represents a decoded JWT token with its claims. | Used by JwtAuthenticationConverter to build authentication. |
β Input to JwtAuthenticationConverter.convert(Jwt jwt) |
JwtAuthenticationConverter |
Class | Converts a Jwt object into a Spring Security Authentication token. |
Core part of customizing how JWT claims are turned into authorities. | β Returns a JwtAuthenticationToken |
JwtAuthenticationToken |
Class | Authentication object representing a user authenticated via JWT. | Used internally as the Authentication in JWT-based flows. |
β Holds Jwt, authorities, principal |
OAuth2ResourceServerConfigurer |
Configurer Class | Configures Spring Boot to act as a resource server that validates JWTs. | Enabled via .oauth2ResourceServer().jwt() in SecurityFilterChain. |
β Registers JwtDecoder and JwtAuthenticationConverter |
BearerTokenAuthenticationFilter |
Filter | Extracts Authorization: Bearer ... header and processes the token. |
Automatically included when using oauth2ResourceServer(). |
β Delegates to JWT decoder and converters |
SecurityFilterChain |
Bean Interface | Defines the filter rules (paths, authentication requirements, etc.) | Replaces WebSecurityConfigurerAdapter in modern Spring Security setups. |
β Registers JWT support, CSRF, CORS, etc. |
plaintext
CopyEdit
[Incoming Request with JWT in Header]
β
βΌ
[BearerTokenAuthenticationFilter]
β
βΌ
[JwtDecoder] β Validates and parses token
β
βΌ
[JwtAuthenticationConverter] β Converts to Authentication
β
βΌ
[JwtAuthenticationToken] β With principal, authorities
β
βΌ
[SecurityContextHolder]
You can now access the userβs identity anywhere using:
Authentication auth = SecurityContextHolder.getContext().getAuthentication();
String username = auth.getName();
Collection<? extends GrantedAuthority> roles = auth.getAuthorities();
JwtAuthenticationConverter to map custom roles (e.g., from a roles or permissions claim).UserDetailsService in stateless JWT apps unless doing a hybrid auth model..authorizeHttpRequests() in your SecurityFilterChain.