- Sprint Security - Home
- Spring Security - Introduction
- Spring Security - Architecture
- Spring Security - Project Modules
- Spring Security - Environment Setup
- Spring Security - Form Login
- Spring Security - Custom Form Login
- Spring Security - Logout
- Spring Security - Remember Me
- Spring Security - Redirection
- Spring Security - Taglibs
- Spring Security - XML Configuration
- Spring Security - Authentication Provider
- Spring Security - Basic Authentication
- Spring Security - AuthenticationFailureHandler
- Spring Security - JWT
- Spring Security - Retrieve User Information
- Spring Security - Maven
- Spring Security - Default Password Encoder
- Spring Security – Password Encoding
- Spring Security - Methods Level
- Spring Security - Manual Authentication
- Spring Security - Extra Login Fields
- Spring Security - Prevent Brute Force
- Spring Security - Login Page with React
- Spring Security - Security Filter Chain
- Spring Security - Securing Spring Boot API
- Spring Security Useful Resources
- Spring Security - Quick Guide
- Spring Security - Useful Resources
- Spring Security - Discussion
Spring Security - Filter Chain
Introduction to Spring Security
Spring Security is a powerful and customizable authentication and access control framework that secures Spring-based applications. It provides a comprehensive set of features, such as authentication, authorization, protection against common security vulnerabilities (e.g., CSRF, session fixation), and supports a wide range of protocols and authentication mechanisms, including OAuth, LDAP, SAML, and more.
A key component of Spring Security is the SecurityFilterChain, which is responsible for processing HTTP requests and applying security logic, such as authentication and authorization checks. It plays a central role in securing Spring applications and provides fine-grained control over security configuration.
What is SecurityFilterChain?
The SecurityFilterChain is a critical interface within Spring Security that defines a sequence of filters which will be applied to every HTTP request coming into the application. It is the backbone for handling security concerns in a web-based application.
Each filter in the chain is responsible for a specific task such as checking if a user is authenticated, enforcing access controls, or performing actions related to security exceptions. The filters are invoked in a specific order, and their role is to either permit the request to continue to the next filter or to block the request, depending on the result of the security processing.
Before Spring Security 5.0, configuration was typically done using the WebSecurityConfigurerAdapter class. However, in the new Spring Security configuration style (since version 5.0), Spring introduced SecurityFilterChain to allow more granular and flexible configurations.
Since Spring Security 5.0, SecurityFilterChain has been at the forefront of simplifying security configurations by allowing developers to define their security setup in a more granular and flexible way. A functional approach where security configuration is defined by creating a SecurityFilterChain bean. This approach is considered more intuitive, as it does not require subclassing and allows for a more declarative style of configuration.
Understanding the Role of Security Filters
Filters are integral components of the SecurityFilterChain. Filters are the mechanisms through which Spring Security applies its security policies on incoming HTTP requests. The filters in the security filter chain perform various tasks such as−
Authentication− Ensuring the user is properly authenticated.
Authorization− Ensuring the user has the appropriate permissions to access a given resource.
CSRF Protection− Preventing Cross-Site Request Forgery (CSRF) attacks.
Session Management− Managing and securing user sessions.
Exception Handling− Dealing with unauthorized access or other security-related issues.
When a request is received by a Spring-based application, it first passes through the security filter chain. The filters evaluate the request, and based on the security rules defined in the configuration, they may either allow the request to proceed or block it.
Components of SecurityFilterChain
The SecurityFilterChain is composed of a number of filters, and these filters can be broadly categorized into three main groups−
Authentication Filters
Authorization Filters
Exception Handling Filters
Authentication Filters
Authentication filters are responsible for verifying the identity of the user making the request. Some of the most commonly used authentication filters are−
UsernamePasswordAuthenticationFilter− Handles form-based authentication, where a user submits a username and password.
BearerTokenAuthenticationFilter− Used for token-based authentication (e.g., JWT), where the token is passed in the HTTP header.
OAuth2LoginAuthenticationFilter− Handles OAuth2-based login, typically used in Single Sign-On (SSO) scenarios.
BasicAuthenticationFilter− Handles basic authentication, where credentials are sent via HTTP headers.
Each of these filters interacts with the AuthenticationManager to authenticate the user.
Authorization Filters
Authorization filters enforce access control on various endpoints in your application. After authentication, they ensure that the authenticated user has the necessary permissions to perform the requested action. Authorization can be based on roles, authorities, or custom expressions.
Some examples of authorization filters are−
FilterSecurityInterceptor− The main filter used to enforce access control.
AccessDecisionManager− Determines whether the user is allowed to access a resource based on their authorities or roles.
Exception Handling Filters
Exception handling filters are responsible for dealing with any security-related issues that arise during the request processing. These filters catch exceptions like AccessDeniedException, AuthenticationException, and return appropriate HTTP responses such as 403 Forbidden or 401 Unauthorized.
ExceptionTranslationFilter− Translates security-related exceptions into HTTP responses (e.g., redirect to login page or return a 403 HTTP status).
How SecurityFilterChain Works in Spring Security
The working of the SecurityFilterChain can be best understood by looking at the sequence of filters involved in request processing. Here's a high-level overview of how it works.
Custom SecurityFilterChain
Security Filter Registration
Filter Execution Flow
Creating a Custom SecurityFilterChain
In Spring Security, the configuration of SecurityFilterChain can be customized by using Java configuration (@Configuration and @EnableWebSecurity). The security filters can be added or removed based on the security needs of the application. A typical configuration looks like this−
@Configuration
@EnableWebSecurity
public class SecurityConfig {
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
return http
.csrf(AbstractHttpConfigurer::disable)
.authorizeHttpRequests(
request -> request.requestMatchers("/public/**").permitAll() // Public endpoints
.requestMatchers("/admin/**").hasRole("ADMIN") // Admin-only endpoints
.anyRequest().authenticated()
)
.formLogin(Customizer.withDefaults())
.logout(config -> config
.logoutUrl("/logout")
.logoutSuccessUrl("/login"))
.build();
}
}
This configuration ensures that only authenticated users can access endpoints other than /public/**, while /admin/** requires the user to have the "ADMIN" role.
Security Filter Registration
Once the security filter chain is configured, Spring automatically registers the filters in the appropriate order. The filters will be invoked for each incoming HTTP request based on the configuration you provide. For instance, authentication filters will run first to validate the user, followed by authorization filters, and finally exception handling filters.
Filter Execution Flow
When an HTTP request enters the application, it passes through the filter chain in the following order−
-
SecurityContextPersistenceFilter− Retrieves the security context from the session or creates a new one.
-
Authentication Filters− Authenticate the user using one of the methods like form login or JWT token.
-
Authorization Filters− Verify the user's permissions and access control based on roles or authorities.
-
Exception Handling Filters− Handle any security exceptions and send appropriate HTTP responses.
If a filter allows the request to pass through, the next filter is executed, and this process continues until the request either completes or an exception is thrown.
Configuring SecurityFilterChain for Different Scenarios
Basic Authentication
For basic authentication, the configuration might look like this (in SecurityConfig.java). SecurityConfig class must have @Configuration and @EnableWebSecurity above class definition.
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http
.authorizeHttpRequests(request -> request.anyRequest().authenticated()) // Authenticate all requests
.httpBasic(Customizer.withDefaults()) // Enable HTTP Basic Authentication
.build();
}
Form-based Login
Form-based login is enabled using: (same as above. This is the method in SecurityConfig class, which has @Configuration and @EnableWebSecurity declared above the class definition).
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http
.authorizeHttpRequests(request -> request.anyRequest().authenticated()) // Authenticate all requests
.formLogin(Customizer.withDefaults()) // Enable Form based Authentication
.build();
}
Best Practices for Implementing SecurityFilterChain
Limit filter complexity− Keep the filters simple to avoid introducing security vulnerabilities. Combine similar security concerns into a single filter whenever possible.
Apply least privilege− Only expose the minimum necessary endpoints to unauthenticated users. Protect sensitive resources by requiring specific roles or authorities.
Custom filters− If the default filters do not meet your requirements, you can write custom filters for specific use cases, such as integrating with external authentication providers.
Test thoroughly− Ensure that your filter chains are thoroughly tested for authentication and authorization scenarios.
Challenges and Troubleshooting Common Issues
Incorrect Filter Order− Filters are executed in a specific order. Incorrect order can lead to issues where authentication is bypassed, or unauthorized users gain access.
AccessDeniedException− Ensure the correct authorities are assigned to users and that access control rules are properly configured.
Session Fixation Attacks− Ensure that session management filters are correctly configured to prevent attackers from hijacking user sessions.
Conclusion
Spring Security's SecurityFilterChain provides a robust and flexible mechanism for securing web applications. By understanding its components and how it processes HTTP requests, developers can create highly customized and secure applications. Whether you're dealing with basic authentication, JWT, or form-based login, SecurityFilterChain offers fine-grained control over security configurations, making it an essential tool in the Spring Security ecosystem.