Before we move forward and talk about Spring Security in depth, let's introduce the core concepts in Spring Security. Understanding these concepts will help us have a better understanding of how it works.

In Spring Security, the core components are Authentication, GrantedAuthority, SecurityContext, and SecurityContextHolder.

An Authentication object represents the token for an authentication request or for an authenticated principal, once the request has been processed by AuthenticationManager. An authentication request is usually a login request the frontend sends to the server. In Spring Security, this request's end point is the login processing URL. By default, it is at the /login path using the HTTP POST method. In an authentication request, the Authentication object will usually contain the username and the password that will be used for authentication. The term principal comes from the java.security.Principal interface that Authentication extends. In Java, Principal represents an individual, a corporation, or a login ID. In Spring Security, an authenticated principal is the currently logged in user's information, which, as mentioned earlier, is usually saved into an HTTP session.

GrantedAuthority is an authority granted to a user. Usually, it is a role name, for example, ROLE_ADMIN or ROLE_SUPERVISOR. You can retrieve the granted authorities of a user through the getAuthorities() method in Authentication. When a logged in user's information, which is an instance of Authentication, is saved to an HTTP session, it is encapsulated inside an instance of SecurityContext. Spring Security has SecurityContextPersistenceFilter responsible for managing the SecurityContext for each request. In the execution of each request, you can retrieve SecurityContext by SecurityContextHolder through the SecurityContextHolder.getContext() method. Internally, SecurityContextHolder keeps SecurityContext in a ThreadLocal variable. In this way, SecurityContext is bound to the current thread that executes the request. When Spring Security performs authorization, it will retrieve SecurityContext from SecurityContextHolder. In Spring Security, at the core, it really comes down to these four concepts. Most of the other components in Spring Security are about either updating SecurityContext or using it to perform authorization.