I just released the Starter Class of "Learn Spring Security":

>> CHECK OUT THE COURSE

1. The Problem

This article discusses a Spring Security configuration problem – the application bootstrapping process throwing the following exception:

SEVERE: Exception starting filter springSecurityFilterChain
org.springframework.beans.factory.NoSuchBeanDefinitionException: 
No bean named 'springSecurityFilterChain' is defined

2. The Cause

The cause of this exception is straightforward – Spring Security looks for a bean namedĀ springSecurityFilterChain (by default), and cannot find it. This bean is required by the main Spring Security Filter – the DelegatingFilterProxy – defined in the web.xml:

<filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

This is just a proxy that delegates all its logic to theĀ springSecurityFilterChain bean.

3. The Solution

The most common reason this bean is missing from the context is that the security XML configuration has no <http> element defined:

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security" 
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
    xmlns:beans="http://www.springframework.org/schema/beans"
    xmlns:sec="http://www.springframework.org/schema/security"
    xsi:schemaLocation="
      http://www.springframework.org/schema/security
      http://www.springframework.org/schema/security/spring-security-3.1.xsd
      http://www.springframework.org/schema/beans
      http://www.springframework.org/schema/beans/spring-beans-3.2.xsd">

</beans:beans>

If the XML configuration is using the security namespace – as the example above, then declaring a simple <http> element will ensure that the filter bean is created and everything starts up correctly:

<http auto-config='true'>
    <intercept-url pattern="/**" access="ROLE_USER" />
</http>

Another possible reason is that the security configuration is not imported at all into the overall context of the web application.

If the security XML config file is named springSecurityConfig.xml, make sure the resource is imported:

@ImportResource({"classpath:springSecurityConfig.xml"})

Or in XML:

<import resource="classpath:springSecurityConfig.xml" />

Finally, the default name of the filter bean can be changed in the web.xml – usually to use an existing Filter with Spring Security:

<filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    <init-param>
        <param-name>targetBeanName</param-name>
        <param-value>customFilter</param-value>
    </init-param>
</filter>

4. Conclusion

This article discusses a very specific Spring Security problem – the missing filter chain bean – and shows the solutions to this common issue.

Get the early-bird price (20% Off) of my upcoming "Learn Spring Security" Course:

>> CHECK OUT THE COURSE

  • Amit Singh

    Hi Baeldung, I have basic question. I am trying to implement spring security, but I am not sure which class should I use for custom authentication. User and role information are stored in database. I override Authentication manager class and used my custom login dao to fetch data from database. Most of suggesations i see is using “UserdetailService” can you please explain which one is better and why ? Thanx for help in advance.

    • If your users and credentials are stored in the database, then you don’t need to override the Authentication Manager or the Authentication Provider – you can simply provide a UserDetailsService and you’re done. It’s only for more complex scenarios that you would need to have your own provider or manager. Hope that clears things up.
      Thanks. Eugen.

      • Amit Singh

        Can I use Digest Authentication if I customize Authentication manager ? if yes how please provide some hint.

        • Hi,
          Thanks for the interesting feedback – I would suggest checking out the Spring Security Digest Authentication post for details about how to configure Digest Authentication. Also, it would be great if you could add comments in the relevant article – for example, a question about Digest auth belongs in that particular article.
          Thanks. Eugen.

  • Von Huffman

    In reference to the following:
    Another possible reason is that the security configuration is not imported at all into the overall context of the web application.
    If the security XML config file is named springSecurityConfig.xml, make sure the resource is imported:
    ?1@ImportResource({“classpath:springSecurityConfig.xml”})
    Or in XML:
    ?1

    What file do you add the import statement to or the @ImportResource annotation to?

    • Yeah, that’s indeed a possibility. I usually create a SecurityConfig class that defines only security beans, scans only a security package (if it needs to) and imports the xml config.

  • Rajeev

    I am using Spring 4.1 Xand JDK 1.7.0_05. When I add the spring security filter in the web.xml, I get the ” org.springframework.beans.factory.NoSuchBeanDefinitionException: No bean named ‘springSecurityFilterChain’ is defined ” error. I have added http component as per your post but did not help in this case.Could you please give me some pointers how I can sort this error. Thanks …

    • Hey Rajeev – there may be corner cases where this exception is caused by something else – do you have a github project I can take a look at and reproduce the error? If not – go ahead and create one and I’d be happy to take a look. Cheers,
      Eugen.

  • pradipta n. hafenda

    Hi baeldung, thank you so much for the article. I’m trying to make a simple login form using spring security version 3.2.3 in my spring tool suite 3.4. I’ve been following your instruction because I keep getting that error. I’ve declared import resource in my root-context.xml but getting another error which is :

    org.springframework.beans.factory.parsing.BeanDefinitionParsingException: Configuration problem: Failed to import bean definitions from URL location [classpath:spring-security.xml]
    Offending resource: ServletContext resource [/WEB-INF/spring/root-context.xml]; nested exception is org.springframework.beans.factory.BeanDefinitionStoreException: IOException parsing XML document from class path resource [spring-security.xml]; nested exception is java.io.FileNotFoundException: class path resource [spring-security.xml] cannot be opened because it does not exist

    I’ve been thinking that it might be because i’m not giving the correct classpath. But i’ve made sure that the URL is the right one for my spring-security.xml page. But I still can’t find out what the exact problem is.
    could you help me pointing out why this error is happening?
    Thank you

    • Hey Pradipta,
      The problem with these kinds of low level errors is that they may have a lot of nuanced and slightly different root causes, and you usually need the actual codebase to identify what’s going on (not just the stacktrace).
      In this case however, the stacktrace looks enough – your spring-security.xml file simply isn’t found, so you’re either referencing it the wrong way, or you’re actually missing it. That’s the root cause, and that’s what triggers everything else.
      Hope that helps. Cheers,
      Eugen.

  • It looks like you’re missing the following dependency: spring-web – make sure you define that in your pom.

    • pradipta n. hafenda

      I looked the pom file again as your suggestion, turns out there was some error in my pom properties, i fixed it and now it work. Thank you so much for your help Eugene.