In the previous section, we saw two examples of filters that provide authentication—BasicAuthenticationFilter and UsernamePasswordAuthenticationFilter. You can also add other filters for authentication. You can use DigestAuthenticationFilter for digest authentication.

User credentials might be stored in different kinds of data stores—LDAP, databases, or in-memory.

How do these filters authenticate against user credentials?

Consider this piece of code from BasicAuthenticationFilter:

Authentication authResult = this.authenticationManager
 .authenticate(authRequest);
SecurityContextHolder.getContext().setAuthentication(authResult);

It does two things:

• Calls authenticationManager to authenticate the request.
• If the request is successful, it sets the result to SecurityContextHolder. This result is visible to other filters down the chain, and also to the REST API implementation controllers.

Typical Spring Security authentication implementations work in a similar way to BasicAuthenticationFilter.