Course – LSS – NPI (cat=Security/Spring Security)
announcement - icon

I just announced the new Learn Spring Security course, including the full material focused on the new OAuth2 stack in Spring Security:

>> CHECK OUT THE COURSE

1. Overview

Spring Security is based on a chain of servlet filters. Each filter has a specific responsibility and depending on the configuration, filters are added or removed.

In this tutorial, we’ll discuss different ways to find the registered Spring Security Filters.

2. Security Debugging

First, we’ll enable security debugging which will log detailed security information on each request.

We can enable security debugging using the debug property:

@EnableWebSecurity(debug = true)

This way, when we send a request to the server, all the request information will be logged.

We’ll also be able to see the entire security filter chain:

Security filter chain: [
  WebAsyncManagerIntegrationFilter
  SecurityContextPersistenceFilter
  HeaderWriterFilter
  LogoutFilter
  UsernamePasswordAuthenticationFilter
  // ...
]

3. Logging

Next, we’ll find our security filters by enabling the logging for the FilterChainProxy.

We can enable logging by adding the following line to application.properties:

logging.level.org.springframework.security.web.FilterChainProxy=DEBUG

Here’s the related log:

DEBUG o.s.security.web.FilterChainProxy - /foos/1 at position 1 of 12 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
DEBUG o.s.security.web.FilterChainProxy - /foos/1 at position 2 of 12 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
DEBUG o.s.security.web.FilterChainProxy - /foos/1 at position 3 of 12 in additional filter chain; firing Filter: 'HeaderWriterFilter'
DEBUG o.s.security.web.FilterChainProxy - /foos/1 at position 4 of 12 in additional filter chain; firing Filter: 'LogoutFilter'
DEBUG o.s.security.web.FilterChainProxy - /foos/1 at position 5 of 12 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
...

4. Obtaining the Filters Programmatically 

Now, we’ll see how to obtain the registered security filters programmatically.

We’ll use FilterChainProxy to get the security filters.

First, let’s autowire the springSecurityFilterChain bean:

@Autowired
@Qualifier("springSecurityFilterChain")
private Filter springSecurityFilterChain;

Here, we used a @Qualifier with the name springSecurityFilterChain with type Filter instead of FilterChainProxy. This is because the method of springSecurityFilterChain() in WebSecurityConfiguration, which creates the Spring Security filter chain, return type Filter and not FilterChainProxy.

Next, we’ll cast this object to FilterChainProxy and call the getFilterChains() method:

public void getFilters() {
    FilterChainProxy filterChainProxy = (FilterChainProxy) springSecurityFilterChain;
    List<SecurityFilterChain> list = filterChainProxy.getFilterChains();
    list.stream()
      .flatMap(chain -> chain.getFilters().stream()) 
      .forEach(filter -> System.out.println(filter.getClass()));
}

And here’s a sample output:

class org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter
class org.springframework.security.web.context.SecurityContextPersistenceFilter
class org.springframework.security.web.header.HeaderWriterFilter
class org.springframework.security.web.authentication.logout.LogoutFilter
class org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter
...

Note that since Spring Security 3.1, FilterChainProxy is configured using a list of SecurityFilterChain. However, most applications need only one SecurityFilterChain.

5. Important Spring Security Filters

Finally, let’s take a look at some of the important security filters:

  • UsernamePasswordAuthenticationFilter: process authentication, responds by default to “/login” URL
  • AnonymousAuthenticationFilter: when there’s no authentication object in SecurityContextHolder, it creates an anonymous authentication object and put it there
  • FilterSecurityInterceptor: raise exceptions when access is denied
  • ExceptionTranslationFilter: catch Spring Security exceptions

6. Conclusion

In this quick articles, we explored how to find the registered Spring Security filters programmatically and using logs.

As always, source code can be found over on GitHub.

Course – LSS (cat=Security/Spring Security)

I just announced the new Learn Spring Security course, including the full material focused on the new OAuth2 stack in Spring Security:

>> CHECK OUT THE COURSE
res – Security (video) (cat=Security/Spring Security)
Comments are closed on this article!