Spring Security Main Components and How It Works

Spring Security is a powerful framework that basically provides authentication and authorization to Java Applications.

Spring Security core components-

1. SecurityContext- SecurityContext is an interface that stores the details of the user-related information such as username and password
for our application. It uses an object to store user credentials(example username, password) which is called Authentication object.

2. SecurityContextHolder- So user credentials are stored in SecurityContext. In order to access those credentials, SecurityContextHolder Object is used.

Example- 

Object principal = SecurityContextHolder.getContext().getAuthentication().getPrincipal();

if (principal instanceof UserDetails) {
String username = ((UserDetails)principal).getUsername();
} else {
String username = principal.toString();
}

Following Steps are needed to achieve Authentication in Spring Security.

1. Authentication is basically an interface which has no. of implementations for different authentication models. So for simple username and password authentication spring security would use UsernamePasswordAuthenticationToken which is an implementation of Authentication interface. 
 

2. After Creating an instance of UsernamePasswordAuthenticationToken. This token is passed to an instance of  AuthenticationManager for validation. 

3. Now AuthenticationManager will do the following things-

a. It internally iterates the list of configured AuthenticationProvider to validate the request. So AuthenticationManager uses AuthenticationProvider to authenticate user credentials.

b. After Authentication AuthenticationManager returns a fully populated Authentication instance on successful authentication.

4. Finally, a security context needs to be established.

5. It is achieved by invoking SecurityContextHolder.getContext().setAuthentication() by passing in the returned authentication object as an argument in the setAuthentication() method of securityContext.

UserDetailsService-

In spring security, userDetails is a core interface which represents a principal. In other terms, userDetails acts as the adaptor between what 
Spring Security needs inside the SecurityContextHolder and our own database. UserDetailsService is a core interface to load user-specific data.

In userDetailsservice, there is a method loadUserByUsername (String username) to load userdetails from the database. So for this functionality, we only implement UserDetailsService and Override the method loadUserByUsername(String username) and provide our own logic.

@Service
public class CurrentUserDetailsService implements UserDetailsService {
    private final UserService userService;
    @Autowired
    public CurrentUserDetailsService(UserService userService) {
        this.userService = userService;
    }
 
    public CurrentUser loadUserByUsername(String username) throws UsernameNotFoundException {
        User user = userService.getUserByUsername(username);
        return new CurrentUser(user);
    }
}

Granting Authority -

After Authentication of the user, authorization takes place. Authorization is the process of getting the list of granted authorities for the logged in user. This process can be fulfilled by calling the getAuthorities() method of the Authentication object. This method returns a list of roles related to that particular logged-in user. Now after getting roles can be configured for web authorization, domain object authorization, and method authorization.