There is a newer version available. Please update to Spring Security 5.6!

Authentication

Spring Security provides comprehensive support for [authentication]. This section discusses:

Architecture Components

This section describes the main architectural components of Spring Security’s used in Servlet authentication. If you need concrete flows that explain how these pieces fit together, look at the Authentication Mechanism specific sections.

[servlet-authentication-securitycontextholder] - The SecurityContextHolder is where Spring Security stores the details of who is authenticated.
[servlet-authentication-securitycontext] - is obtained from the SecurityContextHolder and contains the Authentication of the currently authenticated user.
[servlet-authentication-authentication] - Can be the input to AuthenticationManager to provide the credentials a user has provided to authenticate or the current user from the SecurityContext.
[servlet-authentication-granted-authority] - An authority that is granted to the principal on the Authentication (i.e. roles, scopes, etc.)
[servlet-authentication-authenticationmanager] - the API that defines how Spring Security’s Filters perform authentication.
[servlet-authentication-providermanager] - the most common implementation of AuthenticationManager.
[servlet-authentication-authenticationprovider] - used by ProviderManager to perform a specific type of authentication.
[servlet-authentication-authenticationentrypoint] - used for requesting credentials from a client (i.e. redirecting to a log in page, sending a WWW-Authenticate response, etc.)
[servlet-authentication-abstractprocessingfilter] - a base Filter used for authentication. This also gives a good idea of the high level flow of authentication and how pieces work together.

Authentication Mechanisms

Username and Password - how to authenticate with a username/password
OAuth 2.0 Login - OAuth 2.0 Log In with OpenID Connect and non-standard OAuth 2.0 Login (i.e. GitHub)
SAML 2.0 Login - SAML 2.0 Log In
Central Authentication Server (CAS) - Central Authentication Server (CAS) Support
Remember Me - How to remember a user past session expiration
JAAS Authentication - Authenticate with JAAS
OpenID - OpenID Authentication (not to be confused with OpenID Connect)
[servlet-preauth] - Authenticate with an external mechanism such as SiteMinder or Java EE security but still use Spring Security for authorization and protection against common exploits.
X509 Authentication - X509 Authentication