I just found the DefaultLoginHandler class to process the authentication on login. But I couldn't find the source code for checking the authentication/authorization after logging in? No one can help me on this?

My impression is that access to sections based on user role is done in code rather configuration. See for example Activiti/MainMenuBar.java at 5.x · Activiti/Activiti · GitHub 

Yes, I also looked at that class, but it has only one method (initButtons)  checking if user is an admin then display the manage button. It is not enough for the whole authentication/authorization system. I couldn't find any pieces of code to check if user have enough privileges to access to an area/function or not? 

Is the situation that the explorer doesn't do the level of authorization checking that you're expecting or that it does do it and you're not sure how to configure it? I presume there are particular use-cases you have in mind beyond restricting admin-only operations. I presume you're also aware of the new UI in v6 (Activiti/modules/activiti-ui at 6.0-release · Activiti/Activiti · GitHub  - for the equivalent checks in the new UI you could look at Activiti/SecurityUtils.java at 6.0-release · Activiti/Activiti · GitHub ).

I think it has the authorization feature at my expected level (for example, when a normal user access the area which is dedicated for admin, it is denied or goes to login screen), but I couldn't find the code for that feature. In the case I want to add more security roles and assign the secured resources/areas for them, I don't know how to change the code.

For the new UI in version 6.0, I need more time to explore it. For now, we need to use the old version for the current work.

Thanks,

Duke.