Spring Security is a powerful and highly customizable authentication and access-control framework. It is the de-facto standard for securing Spring-based applications.
Spring Security is a framework that focuses on providing both authentication and authorization to Java applications. Like all Spring projects, the real power of Spring Security is found in how easily it can be extended to meet custom requirements

Features

  • Comprehensive and extensible support for both Authentication and Authorization
  • Protection against attacks like session fixation, clickjacking, cross site request forgery, etc
  • Servlet API integration
  • Optional integration with Spring Web MVC
  • Much more…

Figure 1. An AuthenticationManager hierarchy using ProviderManager

Authentication Architecture

Here is simple spring security architecture that uses UserDetailsService+UsernamePasswordAuthenticationToken method

In Spring security, There are some core concepts:
    Authentication.
    Authorization    
    Servlet Filters
    AuthenticationProviders

Authentication: is used to verify that an user is loginned successfull or not.
Authorization: to know that an loginned user can have permissions to access resources and functions of an application.
Servlet Filters: run on every request. We can use servlet filter to check user token of authentication phase.
AuthenticationProviders: is used to authenticate/validate the User. Spring Framework provides following providers:
  • DaoAuthenticationProvider
  • LdapAuthenticationProvider
  • PreAuthenticatedAuthenticationProvider
  • ActiveDirectoryLdapAuthenticationProvider
  • JaasAuthenticationProvider
  • CasAuthenticationProvider
  • RememberMeAuthenticationProvider
  • AnonymousAuthenticationProvider
  • RunAsImplAuthenticationProvider
  • OpenIDAuthenticationProvider

I thinks that, DaoAuthenticationProvider,LdapAuthenticationProvider are so popular in sme companies.

References: