From https://www.linkedin.com/in/abhinandan-kumar-sde/
📩 A user sends a request to access a protected resource.
🔗 This request passes through a Security Filter Chain.
2️⃣ Security Filter Chain
🧩 Multiple filters (CORS, CSRF, Authentication, etc.) run in sequence.
🎯 Each filter handles specific logic — like validation, authentication, or authorization.
3️⃣ Authentication Flow
💬 Request carries credentials → wrapped inside a UsernamePasswordAuthenticationToken.
🧮 Spring verifies these details (via DB, JWT, or external providers).
4️⃣ AuthenticationManager / ProviderManager
🧭 Acts as a traffic controller for authentication.
🤝 Delegates work to the right Authentication Provider depending on login type.
5️⃣ Authentication Providers
🔹 JWTAuthenticationProvider → Validates tokens
🔹 DaoAuthenticationProvider → Checks DB credentials
🔹 Custom Providers → OAuth2, LDAP, SSO, etc.
Each provider handles one type of authentication method.
6️⃣ UserDetailsService & PasswordEncoder
📚 UserDetailsService → Fetches user data from DB
🔒 PasswordEncoder → Hashes & verifies passwords securely
7️⃣ SecurityContext & JWT Filter
✅ Once authenticated → user info stored in SecurityContext
🎟️ JWT Filter → Verifies token validity for each incoming request
8️⃣ Authentication Request & Response
📨 Request: Client sends credentials or token
📬 Response: Server returns valid JWT/session for next requests
🧾 9️⃣ SecurityContextHolder
Holds complete user identity info:
👤 Username | 🔑 Credentials | 🧩 Roles | 🧱 Account status (locked, expired, etc.)
✨ Final Takeaway
Spring Security = Filters + Managers + Providers working together to secure your app.