Tomcat Server

ServletFilterChain

Security Filters Chain

AuthenticationManager

AuthenticationProvider

DaoAuthenticationProvider

UserDetailService

PasswordEncoder

SecurityContextHolder SecurityContext

1. incoming request

FilterChainProxy

2. authentication responsibility is delegated

3. use the AuthenticationProvider according to the login request

5. Get the authenticated user

6. set authenticated user in context

7. Dispatcher Servlet and controllers

4. Return the authenticated user

Servlet filter chain: [ CharacterEncodingFilter HiddenHttpMethodFilter RequestContextFilter ForwardedHeaderFilter CorsFilter // ... ]

Security filter chain: [ WebAsyncManagerIntegrationFilter SecurityContextPersistenceFilter HeaderWriterFilter LogoutFilter UsernamePasswordAuthenticationFilter // ... ]

[ DaoAuthenticationProvider, InMemoryAuthenticationProvider, OAuth2AuthenticationProvider, ... ]