Spring Security Tutorial — Complete Guide

A complete, hands-on Spring Security 6.x tutorial series. Master authentication, authorization, JWT, OAuth2, CSRF, session management, and production security patterns from first principles to expert level.

Spring Security Tutorial — Complete Guide

Spring Security is the most powerful security framework in the Java ecosystem — and the most misunderstood. This series dismantles it layer by layer, from the filter chain internals that every HTTP request passes through, to OAuth2 authorization servers and production security checklists.

30 articles. Zero hand-waving. Production-grade patterns throughout.

Part 1: Architecture and Fundamentals

  1. How Spring Security Works: The Big Picture
  2. The Security Filter Chain: Every Filter Explained
  3. SecurityContext and Authentication Object
  4. AuthenticationManager, AuthenticationProvider, and UserDetailsService
  5. SecurityFilterChain Bean: The Modern Configuration API

Part 2: Authentication Mechanisms

  1. Form Login Authentication: From Request to Session
  2. HTTP Basic Authentication and Stateless APIs
  3. JWT Authentication: Stateless Token-Based Security
  4. Refresh Tokens and Token Rotation
  5. LDAP Authentication: Enterprise Directory Integration
  6. X.509 Certificate Authentication

Part 3: OAuth2 and OpenID Connect

  1. OAuth2 Fundamentals: Grant Types and Flows
  2. OAuth2 Login: Sign In with Google, GitHub, and Custom Providers
  3. OAuth2 Resource Server: Protecting APIs with Bearer Tokens
  4. Spring Authorization Server: Build Your Own OAuth2 Server

Part 4: Authorization

  1. HTTP Authorization: Securing Endpoints with requestMatchers
  2. Role-Based Access Control: Roles, Authorities, and Hierarchies
  3. Method Security: @PreAuthorize, @PostAuthorize, @Secured
  4. Domain Object Security: Access Control Lists (ACLs)

Part 5: Password Security

  1. Password Encoding: BCrypt, Argon2, and DelegatingPasswordEncoder
  2. Password Management: Registration, Reset, and Migration

Part 6: Session, CSRF, and CORS

  1. Session Management: Fixation, Concurrency, and Redis Sessions
  2. CSRF Protection: How It Works and When to Disable It
  3. CORS: Cross-Origin Requests and Preflight Configuration

Part 7: Security Headers and MFA

  1. Security Headers: CSP, HSTS, Clickjacking Protection
  2. Multi-Factor Authentication (TOTP and WebAuthn)

Part 8: Testing and Production

  1. Testing Spring Security: @WithMockUser, MockMvc, and SecurityMockMvc
  2. Actuator Security and Production Hardening
  3. Reactive Security with Spring WebFlux
  4. Spring Security Best Practices and Production Checklist

What You Will Learn

  • How Spring Security’s filter chain processes every HTTP request
  • Authentication: form login, JWT, HTTP Basic, LDAP, X.509, OAuth2
  • Authorization: URL-level, method-level, and domain-object security
  • OAuth2 and OpenID Connect: login, resource server, authorization server
  • Password encoding, session management, CSRF, and CORS
  • Security headers, multi-factor authentication (TOTP + WebAuthn)
  • Testing security with MockMvc and @WithMockUser
  • Reactive security with Spring WebFlux

Prerequisites

  • Java 11+ (examples use Java 21)
  • Spring Boot basics (dependency injection, REST controllers)
  • Basic understanding of HTTP (request/response, cookies, headers)

No prior Spring Security experience needed.