In a nutshell, Spring Security uses filters to perform authentication and request-level authorization and uses AOP to fulfill method-level authorization. The following figure shows the components that a request will go through in a web application that is guarded by Spring Security:

As you can see, when a request arrives at the server, it will go through a Spring Security Filter Chain, which is delegated through org.springframework.web.filter.DelegatingFilterProxy. This filter chain is usually created as a Spring bean named springSecurityFilterChain, which contains a list of filter beans created by Spring Security. Through these filters, Spring performs a series of actions to decide how a request should be handled. Once a request passes all the filters, it arrives at the Controller that is registered, through request mapping, to handle the request. Most of the time, controllers will call APIs of services to either execute a command or query for some information. Before the control flows into the Service, Spring Security can perform method-level authorization via AOP. That's a very high-level introduction to Spring Security for you to understand where Spring Security fits in an application. Now, let's go through some core concepts in Spring Security.