Course – LSS – NPI (cat=Spring Security)
announcement - icon

If you're working on a Spring Security (and especially an OAuth) implementation, definitely have a look at the Learn Spring Security course:


1. Overview

Spring Security is based on a chain of servlet filters. Each filter has a specific responsibility and depending on the configuration, filters are added or removed.

In this tutorial, we’ll discuss different ways to find the registered Spring Security Filters.

2. Security Debugging

First, we’ll enable security debugging which will log detailed security information on each request.

We can enable security debugging using the debug property:

@EnableWebSecurity(debug = true)

This way, when we send a request to the server, all the request information will be logged.

We’ll also be able to see the entire security filter chain:

Security filter chain: [
  // ...

3. Logging

Next, we’ll find our security filters by enabling the logging for the FilterChainProxy.

We can enable logging by adding the following line to

Here’s the related log:

DEBUG - /foos/1 at position 1 of 12 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
DEBUG - /foos/1 at position 2 of 12 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
DEBUG - /foos/1 at position 3 of 12 in additional filter chain; firing Filter: 'HeaderWriterFilter'
DEBUG - /foos/1 at position 4 of 12 in additional filter chain; firing Filter: 'LogoutFilter'
DEBUG - /foos/1 at position 5 of 12 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'

4. Obtaining the Filters Programmatically 

Now, we’ll see how to obtain the registered security filters programmatically.

We’ll use FilterChainProxy to get the security filters.

First, let’s autowire the springSecurityFilterChain bean:

private Filter springSecurityFilterChain;

Here, we used a @Qualifier with the name springSecurityFilterChain with type Filter instead of FilterChainProxy. This is because the method of springSecurityFilterChain() in WebSecurityConfiguration, which creates the Spring Security filter chain, return type Filter and not FilterChainProxy.

Next, we’ll cast this object to FilterChainProxy and call the getFilterChains() method:

public void getFilters() {
    FilterChainProxy filterChainProxy = (FilterChainProxy) springSecurityFilterChain;
    List<SecurityFilterChain> list = filterChainProxy.getFilterChains();
      .flatMap(chain -> chain.getFilters().stream()) 
      .forEach(filter -> System.out.println(filter.getClass()));

And here’s a sample output:


Note that since Spring Security 3.1, FilterChainProxy is configured using a list of SecurityFilterChain. However, most applications need only one SecurityFilterChain.

5. Important Spring Security Filters

Finally, let’s take a look at some of the important security filters:

  • UsernamePasswordAuthenticationFilter: process authentication, responds by default to “/login” URL
  • AnonymousAuthenticationFilter: when there’s no authentication object in SecurityContextHolder, it creates an anonymous authentication object and put it there
  • FilterSecurityInterceptor: raise exceptions when access is denied
  • ExceptionTranslationFilter: catch Spring Security exceptions

6. Conclusion

In this quick articles, we explored how to find the registered Spring Security filters programmatically and using logs.

As always, source code can be found over on GitHub.

Course – LSS (cat=Security/Spring Security)
announcement - icon

I just announced the new Learn Spring Security course, including the full material focused on the new OAuth2 stack in Spring Security:


res – Security (video) (cat=Security/Spring Security)
Comments are open for 30 days after publishing a post. For any issues past this date, use the Contact form on the site.