Now, let's take a look at UsernamePasswordAuthenticationFilter and its dependencies, as shown in the following figure:
As you can see, UsernamePasswordAuthenticationFilter extends from AbstractAuthenticationProcessingFilter, which holds a reference to an instance of AuthenticationManager. AuthenticationManager is an interface, which has only method: authenticate(). This method takes an unauthenticated Authentication instance as its input and returns an authenticated Authentication instance.
The following figure shows the relationship between AuthenticationManager, AuthenticationProvider, UserDetails, and UserDetailsService:
As you can see, ProviderManager, the implementation of AuthenticationManager, holds a list of AuthenticationProvider that it can use to perform the authentication. DaoAuthenticationProvider is one of the implementations of the AuthenticationProvider interface. The followings are the built-in AuthenticationProvider:
- CasAuthenticationProvider
- DaoAuthenticationProvider
- LdapAuthenticationProvider
- OAuth2LoginAuthenticationProvider
- OpenIDAuthenticationProvider
- RememberMeAuthenticationProvider
- AnonymousAuthenticationProvider
Through these AuthenticationProvider, Spring Security is very flexible with the way to authenticate requests. For now, let's focus on DaoAuthenticationProvider, which is the one being commonly used.
As you can see, DaoAuthenticationProvider holds an instance of PasswordEncoder and an instance of UserDetailsService. In the process of authentication, the provider will ask UserDetailsService to load an instance of UserDetails and, when UserDetails exists, it will use PasswordEncoder to check the password passed inside the Authentication instance matches one of the UserDetails instances. When the passwords match, the request will be considered as authenticated and the provider will create an instance of UsernamePasswordAuthenticationToken, which is an implementation of Authentication interface. This UsernamePasswordAuthenticationToken instance is the one to be returned to UsernamePasswordAuthenticationFilter and updated to SecurityContextHolder.
In an authentication request, when it arrives at this filter, the Authentication object lives inside SecurityContext and looks similar to the one on the left in the following diagram. After successful authentication, the Authentication object looks like the one on the right. In SecurityContextPersistenceFilter, this authenticated Authentication object will be saved into HttpSession:
As you can see, before the authentication, the value of the principal and the credentials properties of the Authentication instance is the email address or username and the password that sent in the login request. authorities is empty and authenticated is false. After a successful authentication, the value of principal in the Authentication object is changed to an instance of UserDetails and credentials is cleared out to protect the password. In our example, this user's granted authority is ROLE_USER.