Spring Security – JWT Authentication Architecture | Spring Boot


In this tutorial, we’re gonna look at Spring Security Architecture built for JWT Authentication that helps us secure our REST APIs with JWT (JSON Web Token) authentication.

Related Post:
Spring Security JWT Authentication example – RestAPIs SpringBoot + Spring MVC + Spring JPA + MySQL

Spring Security JWT Authentication architecture

This is diagram for Spring Security/JWT classes that are separated into 3 layers:
– Spring Security


Look at the diagram above, we can easily associate these components with Spring Security Authentication process: receive HTTP request, filter, authenticate, store Authentication data, generate token, get User details, authorize, handle exception…

At a glance:
SecurityContextHolder provides access to the SecurityContext.
SecurityContext holds the Authentication and possibly request-specific security information.
Authentication represents the principal which includes GrantedAuthority that reflects the application-wide permissions granted to a principal.
UserDetails contains necessary information to build an Authentication object from DAOs or other source of security data.
UserDetailsService helps to create a UserDetails from a String-based username and is usually used by AuthenticationProvider.
JwtAuthTokenFilter (extends OncePerRequestFilter) pre-processes HTTP request, from Token, create Authentication and populate it to SecurityContext.
JwtProvider validates, parses token String or generates token String from UserDetails.
UsernamePasswordAuthenticationToken gets username/password from login Request and combines into an instance of Authentication interface.
AuthenticationManager uses DaoAuthenticationProvider (with help of UserDetailsService & PasswordEncoder) to validate instance of UsernamePasswordAuthenticationToken, then returns a fully populated Authentication instance on successful authentication.
SecurityContext is established by calling SecurityContextHolder.getContext().setAuthentication(…​) with returned authentication object above.
AuthenticationEntryPoint handles AuthenticationException.
– Access to Restful API is protected by HTTPSecurity and authorized with Method Security Expressions.

Receive HTTP Request

When a HTTP request comes (from a browser, a web service client, an HttpInvoker or an AJAX application – Spring doesn’t care), it will go through a chain of filters for authentication and authorization purposes.

So, it is also true for a User Authentication request, that filter chain will be applied until relevant Authentication Filter is found.

Filter the Request

In this architecture, we add our JwtAuthTokenFilter (that extends Spring OncePerRequestFilter abstract class) to the chain of filters.

class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    protected void configure(HttpSecurity http) throws Exception {
        http.addFilterBefore(authenticationJwtTokenFilter(), UsernamePasswordAuthenticationFilter.class);

JwtAuthTokenFilter validates the Token using JwtProvider:

class JwtAuthTokenFilter extends OncePerRequestFilter {
    private JwtProvider tokenProvider;

    protected void doFilterInternal(...) {
        String jwt = getJwt(request);
        if (jwt!=null && tokenProvider.validateJwtToken(jwt)) {
        filterChain.doFilter(request, response);

Now we have 2 cases:
– Login/SignUp: RestAPI with non-protected APIs -> authenticate Login Request with AuthenticationManager, if error occurs, handle AuthenticationException with AuthenticationEntryPoint.
– With protected Resources:
+ jwt token is null/invalid -> if Authenticated Error occurs, handle AuthenticationException with AuthenticationEntryPoint.
+ jwt token is valid -> from token, get User information, then create AuthenticationToken.

Create AuthenticationToken from Token

JwtAuthTokenFilter extracts username/password from the received token using JwtProvider, then based on the extracted data, JwtAuthTokenFilter:
– creates a AuthenticationToken (that implements Authentication)
– uses the AuthenticationToken as Authentication object and stores it in the SecurityContext for future filter uses (e.g: Authorization filters).

In this tutorial, we use UsernamePasswordAuthenticationToken:

// extract user information
String username = tokenProvider.getUserNameFromJwtToken(jwt);
UserDetails userDetails = userDetailsService.loadUserByUsername(username);

// create AuthenticationToken
UsernamePasswordAuthenticationToken authentication
        = new UsernamePasswordAuthenticationToken(userDetails, null, userDetails.getAuthorities());
authentication.setDetails(new WebAuthenticationDetailsSource().buildDetails(request));

Store Authentication object in SecurityContext


SecurityContextHolder is the most fundamental object where we store details of the present security context of the application (includes details of the principal). Spring Security uses an Authentication object to represent this information and we can query this Authentication object from anywhere in our application:

Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
// currently authenticated user
Object principal = authentication.getPrincipal();

getContext() returns an instance of SecurityContext interface that holds the Authentication and possibly request-specific security information.

Delegate AuthenticationToken for AuthenticationManagager

After AuthenticationToken object was created, it will be used as input parameter for authenticate() method of the AuthenticationManager:

public interface AuthenticationManager {
    Authentication authenticate(Authentication authentication)
            throws AuthenticationException;

We can see that AuthenticationManager is just an interface, the default implementation in Spring Security is ProviderManager:

public class ProviderManager implements AuthenticationManager, ... {
    private List providers;

Authenticate with AuthenticationProvider


ProviderManager delegates to a list of configured AuthenticationProviders, each of them will try to authenticate the User, then either throw an exception or return a fully populated Authentication object:

public class ProviderManager implements AuthenticationManager, ... {
    private List providers;

    public Authentication authenticate(Authentication authentication) throws AuthenticationException {
        for (AuthenticationProvider provider : getProviders()) {
            try {
                result = provider.authenticate(authentication);
                if (result != null) {
                    copyDetails(authentication, result);
            catch (Exception...) {}
            return result;

These are some authentication providers that Spring Framework provides:

  • DaoAuthenticationProvider
  • PreAuthenticatedAuthenticationProvider
  • LdapAuthenticationProvider
  • ActiveDirectoryLdapAuthenticationProvider
  • JaasAuthenticationProvider
  • CasAuthenticationProvider
  • RememberMeAuthenticationProvider
  • AnonymousAuthenticationProvider
  • RunAsImplAuthenticationProvider
  • OpenIDAuthenticationProvider

DaoAuthenticationProvider works well with form-based logins or HTTP Basic authentication which submits a simple username/password authentication request.
It authenticates the User simply by comparing the password submitted in a UsernamePasswordAuthenticationToken against the one loaded by the UserDetailsService (as a DAO):

AuthenticationManager authenticationManager;
Authentication authentication = 
				    new UsernamePasswordAuthenticationToken(loginRequest.username, loginRequest.password)

Configuring this provider is simple with AuthenticationManagerBuilder:

class WebSecurityConfig extends WebSecurityConfigurerAdapter {
    UserDetailsServiceImpl userDetailsService;

    public void configure(AuthenticationManagerBuilder authenticationManagerBuilder) throws Exception {

    public AuthenticationManager authenticationManagerBean() throws Exception {
        return super.authenticationManagerBean();

Retrieve User details with UserDetailsService

We can obtain a principal from the Authentication object. This principal can be cast into a UserDetails object to lookup the username, password and GrantedAuthoritys.

Therefore, after authenticating is successful, we can simply get UserDetails from Authentication object:

UserDetails userDetails = (UserDetails) authentication.getPrincipal();
// userDetails.getUsername()
// userDetails.getPassword()
// userDetails.getAuthorities()

DaoAuthenticationProvider also uses UserDetailsService for getting UserDetails object. This is the common approach in which we only pass a String-based ‘username’ argument and returns a UserDetails:

public interface UserDetailsService {
    UserDetails loadUserByUsername(String username) throws UsernameNotFoundException;

It is simple to implement UserDetailsService and easy for us to retrieve authentication information using a persistence strategy:

public class UserDetailsServiceImpl implements UserDetailsService {
    UserRepository userRepository;

    public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {

    	User user = userRepository.findByUsername(username).orElseThrow(
    			() -> new UsernameNotFoundException("User Not Found with -> username or email : " + username));

    	return UserPrinciple.build(user); // UserPrinciple implements UserDetails

Get GrantedAuthority

Another important method provided by Authentication is getAuthorities() that provides an collection of GrantedAuthority objects:

public interface Authentication extends Principal, Serializable {
    Collection getAuthorities();

A GrantedAuthority is an authority that is granted to the principal. Such authorities are usually ‘roles’, such as ROLE_ADMIN, ROLE_PM, ROLE_USER

Protect Resources with HTTPSecurity & Method Security Expressions

Configure HTTPSecurity

To help Spring Security know when we want to require all users to be authenticated, which Exception Handler to be chosen, which filter and when we want it to work. We implement WebSecurityConfigurerAdapter and provide a configuration in the configure(HttpSecurity http) method:

public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
    protected void configure(HttpSecurity http) throws Exception {
        http.addFilterBefore(authenticationJwtTokenFilter(), UsernamePasswordAuthenticationFilter.class);
Method Security Expressions

Spring Security provides some annotations for pre and post-invocation authorization checks, filtering of submitted collection arguments or return values: @PreAuthorize, @PreFilter, @PostAuthorize and @PostFilter.

To enable Method Security Expressions, we use @EnableGlobalMethodSecurity annotation:

@EnableGlobalMethodSecurity(prePostEnabled = true)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

In the code below, we use the most useful annotation @PreAuthorize to decide whether a method can actually be invoked or not:

public class TestRestAPIs {
    @PreAuthorize("hasRole('USER') or hasRole('ADMIN')")
    public String userAccess() {
    	return ">>> User Contents!";

    @PreAuthorize("hasRole('PM') or hasRole('ADMIN')")
    public String projectManagementAccess() {
    	return ">>> Project Management Board";
    public String adminAccess() {
        return ">>> Admin Contents";

Handle AuthenticationException – AuthenticationEntryPoint

If the user requests a secure HTTP resource without being authenticated, AuthenticationEntryPoint will be called. At this time, an AuthenticationException is thrown, commence() method on the entry point is triggered:

public class JwtAuthEntryPoint implements AuthenticationEntryPoint {
    public void commence(HttpServletRequest request,
                         HttpServletResponse response,
                         AuthenticationException e) 
                            throws IOException, ServletException {
        logger.error("Unauthorized error. Message - {}", e.getMessage());
        response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Error -> Unauthorized");

27 thoughts on “Spring Security – JWT Authentication Architecture | Spring Boot”

  1. Thanks for the article buddy ?, but i’m having one issue recarding the swagger-ui.html page.
    Even i have configured,


        public void configure(WebSecurity webSecurity) throws Exception {


         protected void configure(HttpSecurity httpSecurity) throws Exception {
          httpSecurity.antMatchers("/api/auth/**", "/swagger-ui.html").permitAll()

    Still i’m searching for a solution.
    Could u help me regards this …?

  2. Wow. This is the best post I have read about Spring Security and JWT.
    Thank you so much.


  3. Something else is that when evaluating a good online electronics store, look for online stores that are continuously updated, trying to keep up-to-date with the most recent products, the perfect deals, plus helpful information on services and products. This will ensure you are getting through a shop which stays over the competition and provides you what you should need to make educated, well-informed electronics expenditures. Thanks for the vital tips I have learned from the blog.

  4. Excellent blog here! Also your web site loads up very fast! What web host are you using? Can I get your affiliate link to your host? I wish my website loaded up as fast as yours lol

  5. The very crux of your writing whilst sounding reasonable at first, did not really work well with me after some time. Someplace throughout the sentences you actually managed to make me a believer unfortunately just for a while. I nevertheless have a problem with your jumps in logic and one might do nicely to fill in all those breaks. In the event that you actually can accomplish that, I will surely end up being impressed.

  6. Zapisy na blogu sa zazwyczaj pokazywane jako cechy elektroniczne w odrebnej kolejnosci chronologicznej, z najnowoczesniejszym wpisem pojawiajacym sie u góry strony. Posty zazwyczaj maja tekst, obrazy, filmy, wykresy okreslonych a grafiki. Tresc nadruku na blogu jest stale napisana w wygladu narracyjnym, który liczy sie swymi wydarzeniami lub opiniami na konkretny element.

  7. Howdy! This blog post could not be written any better! Going through this post reminds me of my previous roommate! He continually kept preaching about this. I am going to send this article to him. Fairly certain he will have a great read. I appreciate you for sharing!|

  8. I loved as much as you will receive carried out right here. The sketch is attractive, your authored material stylish. nonetheless, you command get got an edginess over that you wish be delivering the following. unwell unquestionably come more formerly again since exactly the same nearly a lot often inside case you shield this increase.|

  9. What i don’t understood is in fact how you are not actually a lot more smartly-appreciated than you may be right now. You’re very intelligent. You realize therefore significantly with regards to this subject, made me in my opinion consider it from a lot of varied angles. Its like men and women are not interested until it’s one thing to accomplish with Lady gaga! Your individual stuffs great. At all times care for it up!

Leave a Reply

Your email address will not be published.