Spring Security SSO Series

By

Spring Security SSO Series

This series is a deep dive into Single Sign-On (SSO) using Spring Security. It focuses not only on configuration, but also on how Spring Security actually works internally and how to debug real-world authentication and authorization issues.

If you often encounter unexplained 401 or 403 errors, this series is written for you.

📘 Part 1 — SSO Fundamentals

  1. Understanding SSO: Concepts and Protocols

    A clear explanation of SSO, OAuth2, OpenID Connect, tokens, and trust boundaries — without vendor-specific noise.

🔌 Part 2 — Integrating SSO with Spring

  1. Integrating Keycloak with Spring Boot — A Practical Guide

    Step-by-step integration of Keycloak with Spring Boot using OAuth2 and OIDC.

  2. SSO for Spring WebFlux — Reactive Authentication and Authorization

    How reactive authentication works in WebFlux and how it differs from traditional Servlet-based Spring Security.

🧠 Part 3 — How Spring Security Really Works

  1. How to Debug Spring Security Filter Chains Step by Step

    A detailed walkthrough of the Spring Security filter chain and how requests are processed internally.

  2. How to Log Spring Security Authorization Decisions

    Learn how Spring Security decides allow or deny access, and how to log those decisions clearly.

🐞 Part 4 — Debugging 401 / 403 Errors

  1. Why Spring Security Returns 401 or 403 — and How to Fix It

    A conceptual explanation of authentication vs authorization failures, with real examples.

  2. Debugging Spring Boot Security: Why You Keep Getting 403

    A practical debugging guide when everything looks correct but access is still denied.

  3. Token Is Valid but Still 403 — 5 Real Reasons in Spring Security

    When JWT validation passes but authorization still fails — the most common hidden causes.

  4. Debugging SSO Authentication — Common Issues in Spring Security

    A collection of real-world SSO issues and how to systematically troubleshoot them.

🧭 Recommended Reading Order

  • Start with SSO concepts and protocols
  • Integrate Keycloak and understand WebFlux differences
  • Learn how Spring Security processes requests internally
  • Finish with deep debugging techniques for 401 / 403 issues

🎯 Who This Series Is For

  • Backend developers using Spring Boot or Spring WebFlux
  • Engineers struggling with unexplained 401 / 403 errors
  • Anyone who wants to truly understand Spring Security internals

This series pairs naturally with the Next.js + NextAuth.js Frontend SSO Series , providing a complete frontend + backend SSO reference.

Part of Lengerrong Blog

Comments

Post a Comment

Popular posts from this blog

fixed: embedded-redis: Unable to run on macOS Sonoma

By
Image
Issue you might see below error while trying to run embedded-redis for your testing on your macOS after you upgrade to Sonoma. java.lang.RuntimeException: Can't start redis server. Check logs for details. Redis process log: at redis.embedded.AbstractRedisInstance.awaitRedisServerReady(AbstractRedisInstance.java:70) at redis.embedded.AbstractRedisInstance.start(AbstractRedisInstance.java:42) at redis.embedded.RedisServer.start(RedisServer.java:9) Solution use the latest one: https://mv   ...
Read more

Copying MDC Context Map in Web Clients: A Comprehensive Guide

By
Image
Introduction In distributed systems, maintaining context across microservices is crucial for effective logging and tracing. The Mapped Diagnostic Context (MDC) in logging frameworks like Logback or Log4j allows developers to propagate contextual information such as request IDs, user IDs, or correlation IDs across threads and services. When using web clients to make outgoing requests, it's essential to propagate the MDC context map to ensure consistency and traceability. This guide will provide   ...
Read more

Reset user password for your own Ghost blog

By
Image
If you do not config mail up for your ghost blog, it maybe a big problem once you lost your user password. however, methods are always more than problems. We can fix it up by reset it. 1. Find out your database name in your ghost config, it is maybe in config.production.json   "database": {     "client": "mysql",     "connection": {       "host": "localhost",       "user": "ghost-452",       "password": "dade1b0565f2585e07c7",       "database": "ghost_production_acm" 2. Use mysql to reset the password. mysql -u root -p Enter the password for root account. mysql> use ghost_production_acm; mysql> select * from users; ghost use bcrypthash for the password. You can get bcrypt hash string from http://bcrypthashgenerator.apphb.com/ mysql>update users set password=' $2b$10$PaL8tKcU4i0CsjRrM6BhROVQMwwLFw2HSx/kWlAUgja23fNllc2Fy' where ...
Read more