• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Liutauras Vilda
  • Paul Clapham
  • paul wheaton
  • Tim Cooke
  • Henry Wong
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Piet Souris
  • Mike London

Spring security filters are different from what Spring document says

Posts: 2266
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi everyone,
I executed my instructor's code and put a breakpoint at DefaultSecurityFilterChain's constructor.
I notice the order of the filters in the chain include:

0 = WebAsyncManagerIntegrationFilter
1 = SecurityContextPersistenceFilter
2 = HeaderWriterFilter
3 = CsrfFilter
4 =  CustomerRequestParameterAuthenticationFilter (My instructor adds it)
5 =  LogoutFilter ( My instructor adds it)
6 = UsernamePasswordAuthenticationFilter
7 = RequestCacheAwareFilter
8 = SecurityContextHolderAwareRequestFilter
9 = AnonymousAuthenticationFilter
10 = SessionManagementFilter
11 = ExceptionTranslationFilter
12 = FilterSecurityInterceptor

However, in Spring 5.1.1.Release , the filter ordering is different from what I saw. The document lists:

0 = ChannelProcessingFilter
1 = SecurityContextPersistenceFilter
2 = ConcurrentSessionFilter
3 = UsernamePaswordAuthenticationFilter, CasAuthenticationFilter, BasicAuthenticationFilter
4 = SecurityContextHolderAwareRequestFilter
5 = JaasApiIntegrationFilter
6 = RememberMeAuthenticationFilter
7 = AnonymousAuthenticationFilter
8 = ExceptionTranslationFilter
9 = FilterSecurityInterceptor

Reference: https://docs.spring.io/spring-security/site/docs/5.1.1.RELEASE/reference/htmlsingle/#filter-ordering

Why the filter chain in my instructor's example is different from the document?

Saloon Keeper
Posts: 14702
  • Likes 1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Spring Security is a broad framework that can be used in many different kinds of applications. Since it's so broad, it can't give a definite list of filters that is to be used in a specific application.

The example given by your instructor is a web application, and the DefaultSecurityFilterChain contains filters that are appropriate for a web application. For instance, a CSRF filter will only be used in web applications, not in all applications that use Spring Security.
Don't get me started about those stupid light bulbs.
    Bookmark Topic Watch Topic
  • New Topic