CtrlK
BlogDocsLog inGet started
Tessl Logo

tessl/maven-org-springframework-security--spring-security-web

Spring Security Web module provides comprehensive web security features for Spring-based applications, including servlet-based authentication, authorization, CSRF protection, session management, and security filter chain implementation

Pending
Overview
Eval results
Files

filter-chain.mddocs/

Filter Chain and Security Infrastructure

The Spring Security Web filter chain infrastructure provides the foundation for all web security operations. It manages the execution of security filters in a configurable, ordered chain that processes HTTP requests.

Core Concepts

The filter chain system is built around several key concepts:

  • FilterChainProxy: Central dispatcher that routes requests to appropriate filter chains
  • SecurityFilterChain: Interface defining a collection of filters for specific request patterns
  • Request Matching: Flexible system for determining which filter chain applies to a request
  • Filter Ordering: Controlled execution order of security filters

Filter Chain Proxy

The FilterChainProxy is the main entry point for Spring Security web filtering.

public class FilterChainProxy extends GenericFilterBean {
    // Constructors
    public FilterChainProxy();
    public FilterChainProxy(SecurityFilterChain chain);
    public FilterChainProxy(List<SecurityFilterChain> filterChains);
    
    // Main filter method
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
        throws IOException, ServletException;
    
    // Configuration methods
    public void setSecurityContextHolderStrategy(SecurityContextHolderStrategy securityContextHolderStrategy);
    public void setFilterChainValidator(FilterChainValidator filterChainValidator);
    public void setFilterChainDecorator(FilterChainDecorator filterChainDecorator);
    public void setFirewall(HttpFirewall firewall);
    public void setRequestRejectedHandler(RequestRejectedHandler requestRejectedHandler);
    
    // Access methods
    public List<Filter> getFilters(String url);
    public List<SecurityFilterChain> getFilterChains();
}

Usage Example

// Create multiple filter chains for different URL patterns
List<SecurityFilterChain> chains = Arrays.asList(
    // API endpoints - stateless with JWT
    new DefaultSecurityFilterChain(
        new AntPathRequestMatcher("/api/**"),
        new JwtAuthenticationFilter(),
        new AuthorizationFilter()
    ),
    
    // Web interface - session-based with forms
    new DefaultSecurityFilterChain(
        new AntPathRequestMatcher("/**"),
        new SecurityContextHolderFilter(new HttpSessionSecurityContextRepository()),
        new CsrfFilter(new HttpSessionCsrfTokenRepository()),
        new UsernamePasswordAuthenticationFilter(),
        new ExceptionTranslationFilter()
    )
);

FilterChainProxy proxy = new FilterChainProxy(chains);

// Configure with custom firewall
proxy.setFirewall(new StrictHttpFirewall());

// Set custom request rejected handler
proxy.setRequestRejectedHandler(new HttpStatusRequestRejectedHandler());

Security Filter Chain

The SecurityFilterChain interface defines the contract for filter chains.

public interface SecurityFilterChain {
    // Determines if this chain should handle the request
    boolean matches(HttpServletRequest request);
    
    // Returns the ordered list of filters to execute
    List<Filter> getFilters();
}

Default Implementation

public class DefaultSecurityFilterChain implements SecurityFilterChain {
    // Constructors
    public DefaultSecurityFilterChain(RequestMatcher requestMatcher, Filter... filters);
    public DefaultSecurityFilterChain(RequestMatcher requestMatcher, List<Filter> filters);
    
    // SecurityFilterChain implementation
    public boolean matches(HttpServletRequest request);
    public List<Filter> getFilters();
    
    // Access methods
    public RequestMatcher getRequestMatcher();
}

Usage Example

// Create filter chain for admin paths
RequestMatcher adminMatcher = new AntPathRequestMatcher("/admin/**");
List<Filter> adminFilters = Arrays.asList(
    new SecurityContextHolderFilter(repository),
    new AdminAuthenticationFilter(),
    new AdminAuthorizationFilter()
);

SecurityFilterChain adminChain = new DefaultSecurityFilterChain(adminMatcher, adminFilters);

// Create filter chain for public paths  
RequestMatcher publicMatcher = new AntPathRequestMatcher("/public/**");
List<Filter> publicFilters = Arrays.asList(
    new AnonymousAuthenticationFilter("anonymous")
);

SecurityFilterChain publicChain = new DefaultSecurityFilterChain(publicMatcher, publicFilters);

Filter Chain Decoration

Filter chain decoration allows customization of how filters are executed.

public interface FilterChainDecorator {
    default FilterChain decorate(FilterChain original);
    FilterChain decorate(FilterChain original, List<Filter> filters);
}

public static final class VirtualFilterChainDecorator implements FilterChainDecorator {
    public FilterChain decorate(FilterChain original);
    public FilterChain decorate(FilterChain original, List<Filter> filters);
}

Filter Chain Validation

Validation ensures filter chains are correctly configured.

public interface FilterChainValidator {
    void validate(FilterChainProxy filterChainProxy);
}

Common Filter Chain Patterns

Stateless API Chain

// For REST APIs with JWT authentication
SecurityFilterChain apiChain = new DefaultSecurityFilterChain(
    new AntPathRequestMatcher("/api/**"),
    new JwtAuthenticationFilter(),
    new AuthorizationFilter()
);

Session-Based Web Chain

// For traditional web applications
SecurityFilterChain webChain = new DefaultSecurityFilterChain(
    new AntPathRequestMatcher("/**"),
    new SecurityContextHolderFilter(new HttpSessionSecurityContextRepository()),
    new CsrfFilter(new HttpSessionCsrfTokenRepository()),
    new UsernamePasswordAuthenticationFilter(),
    new RememberMeAuthenticationFilter(authenticationManager, rememberMeServices),
    new AnonymousAuthenticationFilter("anonymous"),
    new SessionManagementFilter(repository),
    new ExceptionTranslationFilter(),
    new AuthorizationFilter()
);

Public Resource Chain

// For publicly accessible resources
SecurityFilterChain publicChain = new DefaultSecurityFilterChain(
    new OrRequestMatcher(
        new AntPathRequestMatcher("/css/**"),
        new AntPathRequestMatcher("/js/**"),
        new AntPathRequestMatcher("/images/**")
    ),
    // Empty filter list - no security processing
);

Error Handling

Filter chains can encounter various exceptions during processing:

  • RequestRejectedException: Thrown when the firewall rejects a request
  • AuthenticationException: Thrown during authentication failures
  • AccessDeniedException: Thrown when access is denied
  • ServletException: General servlet processing errors
  • IOException: I/O related errors

The FilterChainProxy handles these exceptions and delegates to appropriate handlers like RequestRejectedHandler and AuthenticationEntryPoint.

Install with Tessl CLI

npx tessl i tessl/maven-org-springframework-security--spring-security-web

docs

access-control.md

authentication.md

csrf.md

filter-chain.md

firewall.md

index.md

reactive.md

security-context.md

session-management.md

utilities.md

tile.json