If you have worked with Spring Boot for a while, you have used Spring Security without fully tracing what happens inside it. You add a dependency, configure a SecurityFilterChain, and wire a UserDetailsService, and your APIs are suddenly protected. It works. But under the hood, there is a very disciplined flow that decides who the user is, whether the password is valid, and whether the request should even reach your controller. Once that internal flow clicks, Spring Security stops feeling magical and starts feeling predictable. The Big Picture Every incoming HTTP request does not go straight to your controller. Before that request reaches DispatcherServlet, it passes through the servlet filter chain. Spring Security plugs itself into that chain and intercepts the request early. That matters because security decisions should happen before business logic runs. The flow looks like this: That is the full security journey in one line: intercept, authenticate, authorize, then continue.…