1. Overview
Spring Security is based on a chain of servlet filters. Each filter has a specific responsibility and depending on the configuration, filters are added or removed.
In this tutorial, we’ll discuss different ways to find the registered Spring Security Filters.
2. Security Debugging
First, we’ll enable security debugging which will log detailed security information on each request.
We can enable security debugging using the debug property:
@EnableWebSecurity(debug = true)
This way, when we send a request to the server, all the request information will be logged.
We’ll also be able to see the entire security filter chain:
Security filter chain: [ WebAsyncManagerIntegrationFilter SecurityContextPersistenceFilter HeaderWriterFilter LogoutFilter UsernamePasswordAuthenticationFilter // ... ]
3. Logging
Next, we’ll find our security filters by enabling the logging for the FilterChainProxy.
We can enable logging by adding the following line to application.properties:
logging.level.org.springframework.security.web.FilterChainProxy=DEBUG
Here’s the related log:
DEBUG o.s.security.web.FilterChainProxy - /foos/1 at position 1 of 12 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter' DEBUG o.s.security.web.FilterChainProxy - /foos/1 at position 2 of 12 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter' DEBUG o.s.security.web.FilterChainProxy - /foos/1 at position 3 of 12 in additional filter chain; firing Filter: 'HeaderWriterFilter' DEBUG o.s.security.web.FilterChainProxy - /foos/1 at position 4 of 12 in additional filter chain; firing Filter: 'LogoutFilter' DEBUG o.s.security.web.FilterChainProxy - /foos/1 at position 5 of 12 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter' ...
4. Obtaining the Filters Programmatically
Now, we’ll see how to obtain the registered security filters programmatically.
We’ll use FilterChainProxy to get the security filters.
First, let’s autowire the springSecurityFilterChain bean:
@Autowired @Qualifier("springSecurityFilterChain") private Filter springSecurityFilterChain;
Here, we used a @Qualifier with the name springSecurityFilterChain with type Filter instead of FilterChainProxy. This is because the method of springSecurityFilterChain() in WebSecurityConfiguration, which creates the Spring Security filter chain, return type Filter and not FilterChainProxy.
Next, we’ll cast this object to FilterChainProxy and call the getFilterChains() method:
public void getFilters() { FilterChainProxy filterChainProxy = (FilterChainProxy) springSecurityFilterChain; List<SecurityFilterChain> list = filterChainProxy.getFilterChains(); list.stream() .flatMap(chain -> chain.getFilters().stream()) .forEach(filter -> System.out.println(filter.getClass())); }
And here’s a sample output:
class org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter class org.springframework.security.web.context.SecurityContextPersistenceFilter class org.springframework.security.web.header.HeaderWriterFilter class org.springframework.security.web.authentication.logout.LogoutFilter class org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter ...
Note that since Spring Security 3.1, FilterChainProxy is configured using a list of SecurityFilterChain. However, most applications need only one SecurityFilterChain.
5. Important Spring Security Filters
Finally, let’s take a look at some of the important security filters:
- UsernamePasswordAuthenticationFilter: process authentication, responds by default to “/login” URL
- AnonymousAuthenticationFilter: when there’s no authentication object in SecurityContextHolder, it creates an anonymous authentication object and put it there
- FilterSecurityInterceptor: raise exceptions when access is denied
- ExceptionTranslationFilter: catch Spring Security exceptions
6. Conclusion
In this quick articles, we explored how to find the registered Spring Security filters programmatically and using logs.
As always, source code can be found over on GitHub.