Security Top

I just announced the new Learn Spring Security course, including the full material focused on the new OAuth2 stack in Spring Security 5:

>> CHECK OUT THE COURSE

1. The Problem

This article discusses a Spring Security configuration problem – the application bootstrapping process throwing the following exception:

SEVERE: Exception starting filter springSecurityFilterChain
org.springframework.beans.factory.NoSuchBeanDefinitionException: 
No bean named 'springSecurityFilterChain' is defined

Further reading:

Introduction to Java Config for Spring Security

A quick and practical guide to Java Config for Spring Security

Spring Security 5 – OAuth2 Login

Learn how to authenticate users with Facebook, Google or other credentials using OAuth2 in Spring Security 5.

Servlet 3 Async Support with Spring MVC and Spring Security

Quick intro to the Spring Security support for async requests in Spring MVC.

2. The Cause

The cause of this exception is straightforward – Spring Security looks for a bean named springSecurityFilterChain (by default), and cannot find it. This bean is required by the main Spring Security Filter – the DelegatingFilterProxy – defined in the web.xml:

<filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

This is just a proxy that delegates all its logic to the springSecurityFilterChain bean.

3. The Solution

The most common reason this bean is missing from the context is that the security XML configuration has no <http> element defined:

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security" 
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
  xmlns:beans="http://www.springframework.org/schema/beans"
  xmlns:sec="http://www.springframework.org/schema/security"
  xsi:schemaLocation="
    http://www.springframework.org/schema/security
    http://www.springframework.org/schema/security/spring-security-3.1.xsd
    http://www.springframework.org/schema/beans
    http://www.springframework.org/schema/beans/spring-beans-3.2.xsd">

</beans:beans>

If the XML configuration is using the security namespace – as the example above, then declaring a simple <http> element will ensure that the filter bean is created and everything starts up correctly:

<http auto-config='true'>
    <intercept-url pattern="/**" access="ROLE_USER" />
</http>

Another possible reason is that the security configuration is not imported at all into the overall context of the web application.

If the security XML config file is named springSecurityConfig.xml, make sure the resource is imported:

@ImportResource({"classpath:springSecurityConfig.xml"})

Or in XML:

<import resource="classpath:springSecurityConfig.xml" />

Finally, the default name of the filter bean can be changed in the web.xml – usually to use an existing Filter with Spring Security:

<filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>
      org.springframework.web.filter.DelegatingFilterProxy
    </filter-class>
    <init-param>
        <param-name>targetBeanName</param-name>
        <param-value>customFilter</param-value>
    </init-param>
</filter>

4. Conclusion

This article discusses a very specific Spring Security problem – the missing filter chain bean – and shows the solutions to this common issue.

Security bottom

I just announced the new Learn Spring Security course, including the full material focused on the new OAuth2 stack in Spring Security 5:

>> CHECK OUT THE COURSE
11 Comments
Oldest
Newest
Inline Feedbacks
View all comments
Von Huffman
Von Huffman
6 years ago

In reference to the following:
Another possible reason is that the security configuration is not imported at all into the overall context of the web application.
If the security XML config file is named springSecurityConfig.xml, make sure the resource is imported:
[email protected]({“classpath:springSecurityConfig.xml”})
Or in XML:
?1

What file do you add the import statement to or the @ImportResource annotation to?

Eugen Paraschiv
6 years ago
Reply to  Von Huffman

Yeah, that’s indeed a possibility. I usually create a SecurityConfig class that defines only security beans, scans only a security package (if it needs to) and imports the xml config.

Rajeev
Rajeev
5 years ago

I am using Spring 4.1 Xand JDK 1.7.0_05. When I add the spring security filter in the web.xml, I get the ” org.springframework.beans.factory.NoSuchBeanDefinitionException: No bean named ‘springSecurityFilterChain’ is defined ” error. I have added http component as per your post but did not help in this case.Could you please give me some pointers how I can sort this error. Thanks …

Eugen Paraschiv
5 years ago
Reply to  Rajeev

Hey Rajeev – there may be corner cases where this exception is caused by something else – do you have a github project I can take a look at and reproduce the error? If not – go ahead and create one and I’d be happy to take a look. Cheers,
Eugen.

pradipta n. hafenda
pradipta n. hafenda
4 years ago

Hi baeldung, thank you so much for the article. I’m trying to make a simple login form using spring security version 3.2.3 in my spring tool suite 3.4. I’ve been following your instruction because I keep getting that error. I’ve declared import resource in my root-context.xml but getting another error which is : org.springframework.beans.factory.parsing.BeanDefinitionParsingException: Configuration problem: Failed to import bean definitions from URL location [classpath:spring-security.xml] Offending resource: ServletContext resource [/WEB-INF/spring/root-context.xml]; nested exception is org.springframework.beans.factory.BeanDefinitionStoreException: IOException parsing XML document from class path resource [spring-security.xml]; nested exception is java.io.FileNotFoundException: class path resource [spring-security.xml] cannot be opened because it does not exist I’ve… Read more »

Eugen Paraschiv
4 years ago

Hey Pradipta,
The problem with these kinds of low level errors is that they may have a lot of nuanced and slightly different root causes, and you usually need the actual codebase to identify what’s going on (not just the stacktrace).
In this case however, the stacktrace looks enough – your spring-security.xml file simply isn’t found, so you’re either referencing it the wrong way, or you’re actually missing it. That’s the root cause, and that’s what triggers everything else.
Hope that helps. Cheers,
Eugen.

pradipta n. hafenda
pradipta n. hafenda
4 years ago

This is my full stacktrace http://pastebin.com/9Q3fGiLU
Maybe you could check that out and help me fixing this problem please?
Cause I’m new to spring and the configuration is so confusing. Thanks for your help.

Eugen Paraschiv
4 years ago

It looks like you’re missing the following dependency: spring-web – make sure you define that in your pom.

pradipta n. hafenda
pradipta n. hafenda
4 years ago

I looked the pom file again as your suggestion, turns out there was some error in my pom properties, i fixed it and now it work. Thank you so much for your help Eugene.

Paawan Bhatt
Paawan Bhatt
4 years ago

springSecurityFilterChain

org.springframework.web.filter.DelegatingFilterProxy

targetBeanName

customFilter

In above case what does targetBeanName and customFilter means

Eugen Paraschiv
4 years ago
Reply to  Paawan Bhatt

So these just point to the new bean name and new filter implementation – if you prefer to specify these yourself and diverge from the defaults. Most of the time, I’d say you don’t need to do that though.
Hope that helps. Cheers,
Eugen.

Comments are closed on this article!