or run

npx @tessl/cli init
Log in

Version

Tile

Overview

Evals

Files

docs

authentication-filters.mdauthorization.mdcsrf-protection.mdfilter-chain.mdfirewall.mdindex.mdlogout.mdreactive-security.mdrequest-matching.mdsaved-requests.mdsecurity-context.mdsecurity-headers.mdservlet-integration.mdsession-management.md
tile.json

tessl/maven-spring-security-web

Spring Security Web module provides comprehensive security services and servlet integration for web applications built with the Spring Framework

Workspace
tessl
Visibility
Public
Created
Last updated
Describes
mavenpkg:maven/org.springframework.security/spring-security-web@7.0.x

To install, run

npx @tessl/cli install tessl/maven-spring-security-web@7.0.0

index.mddocs/

Spring Security Web

Spring Security Web provides comprehensive security services and servlet integration for Java web applications. It implements filter-based security for Jakarta Servlet applications with authentication mechanisms, authorization controls, CSRF protection, session management, security headers, and request validation. The module integrates seamlessly with Spring MVC and Spring WebFlux, supporting both traditional servlet and reactive programming patterns.

Package Information

  • Package Name: spring-security-web
  • Package Type: maven
  • Group ID: org.springframework.security
  • Artifact ID: spring-security-web
  • Version: 7.0.0
  • Language: Java
  • Installation:

Maven:

<dependency>
    <groupId>org.springframework.security</groupId>
    <artifactId>spring-security-web</artifactId>
    <version>7.0.0</version>
</dependency>

Gradle:

implementation 'org.springframework.security:spring-security-web:7.0.0'

Key Information for Agents

Required Dependencies:

  • spring-security-web (this package)
  • spring-security-core is required (provides Authentication, AuthorizationManager, SecurityContext)
  • spring-security-config is required for @EnableWebSecurity and HttpSecurity DSL
  • Jakarta Servlet API (jakarta.servlet:jakarta.servlet-api) required for servlet-based components
  • Spring Web (spring-web) required for request/response handling
  • For reactive support: Spring WebFlux (spring-webflux) and Reactor Core required

Default Behaviors:

  • Default firewall: StrictHttpFirewall (rejects suspicious requests)
  • Default CSRF protection: Enabled for state-changing methods (POST, PUT, DELETE, PATCH)
  • Default session creation: IF_REQUIRED (creates session when needed)
  • Default session fixation: changeSessionId() (changes session ID on authentication)
  • Default security context storage: HttpSessionSecurityContextRepository (stores in HTTP session)
  • Default CSRF token repository: HttpSessionCsrfTokenRepository (stores token in session)
  • Default authentication entry point: LoginUrlAuthenticationEntryPoint (redirects to login page)
  • Default access denied handler: AccessDeniedHandlerImpl (sends HTTP 403 or forwards to error page)
  • Filter chain order: Firewall → SecurityContext → CSRF → Authentication → Authorization → Exception → Session
  • Default request matcher: PathPatternRequestMatcher (since 6.5, uses Spring PathPattern)

Threading Model:

  • All filters are thread-safe (process one request per thread)
  • SecurityContext is stored in ThreadLocal by default (via SecurityContextHolder)
  • FilterChainProxy matches requests sequentially (first matching chain wins)
  • Filters execute synchronously in servlet container thread
  • Reactive components use Reactor's non-blocking threading model
  • Session-based storage requires session affinity in clustered environments
  • SecurityContextRepository operations are per-request (thread-safe when using session storage)

Lifecycle:

  • FilterChainProxy implements Filter (registered in servlet container)
  • Filters implement GenericFilterBean or OncePerRequestFilter (Spring lifecycle aware)
  • SecurityFilterChain beans are discovered and registered automatically
  • @EnableWebSecurity triggers auto-configuration of security infrastructure
  • Security context is loaded at start of request, saved at end of request
  • CSRF tokens are generated on first request, validated on state-changing requests
  • Session management strategies execute during authentication events

Exceptions:

  • AuthenticationException - Authentication failures (BadCredentialsException, AccountExpiredException, etc.)
  • AccessDeniedException - Authorization failures (insufficient permissions)
  • CsrfException - CSRF token validation failures (MissingCsrfTokenException, InvalidCsrfTokenException)
  • SessionAuthenticationException - Session management failures (concurrent session limit exceeded)
  • RequestRejectedException - Firewall rejection (malicious request detected)
  • ServletException, IOException - Servlet API exceptions from filter chain processing

Edge Cases:

  • Multiple SecurityFilterChain beans: First matching chain is used (order matters)
  • Stateless applications: Use NullSecurityContextRepository and SessionCreationPolicy.STATELESS
  • CSRF protection: Disable for stateless APIs or use token-based authentication
  • Session fixation: changeSessionId() requires Servlet 3.1+, migrateSession() works on older versions
  • Concurrent sessions: Requires SessionRegistry bean and proper session tracking
  • Request caching: Only caches non-GET requests by default (configurable via RequestMatcher)
  • Security context: Must be loaded before authentication filters (order in filter chain matters)
  • Path pattern matching: Variables extracted from patterns are available in MatchResult.getVariables()
  • Reactive vs Servlet: Cannot mix servlet and reactive security in same application
  • Filter chain decorators: Can wrap filter chain for observability (e.g., Micrometer metrics)
  • Custom filters: Must be added to SecurityFilterChain in correct order relative to security filters

Core Imports

// Core filter chain infrastructure
import org.springframework.security.web.FilterChainProxy;
import org.springframework.security.web.SecurityFilterChain;

// Authentication filters
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
import org.springframework.security.web.authentication.AuthenticationFilter;

// Authorization
import org.springframework.security.web.access.intercept.AuthorizationFilter;

// CSRF protection
import org.springframework.security.web.csrf.CsrfFilter;
import org.springframework.security.web.csrf.CsrfToken;
import org.springframework.security.web.csrf.CsrfTokenRepository;

// Security context management
import org.springframework.security.web.context.SecurityContextRepository;
import org.springframework.security.web.context.HttpSessionSecurityContextRepository;

// Request matching
import org.springframework.security.web.util.matcher.RequestMatcher;
import org.springframework.security.web.servlet.util.matcher.PathPatternRequestMatcher;

Basic Usage

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.web.SecurityFilterChain;

@Configuration
@EnableWebSecurity
public class SecurityConfig {

    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        http
            .authorizeHttpRequests(authorize -> authorize
                .requestMatchers("/public/**").permitAll()
                .requestMatchers("/admin/**").hasRole("ADMIN")
                .anyRequest().authenticated()
            )
            .formLogin(form -> form
                .loginPage("/login")
                .defaultSuccessUrl("/dashboard")
                .permitAll()
            )
            .logout(logout -> logout
                .logoutUrl("/logout")
                .logoutSuccessUrl("/login?logout")
            )
            .csrf(csrf -> csrf
                .csrfTokenRepository(new HttpSessionCsrfTokenRepository())
            );
        
        return http.build();
    }
}

Architecture

Spring Security Web is built around a filter chain architecture that intercepts HTTP requests and applies security logic:

  1. FilterChainProxy: The central entry point that delegates requests to matching SecurityFilterChain instances
  2. SecurityFilterChain: Defines filters that apply to specific request patterns
  3. Security Filters: Individual filters that perform authentication, authorization, CSRF protection, etc.
  4. SecurityContext: Thread-local storage for authentication information
  5. Request Matching: Flexible matchers for applying security rules to URL patterns

The filter chain processes requests in a defined order:

  1. Firewall validation (StrictHttpFirewall)
  2. SecurityContext loading (SecurityContextHolderFilter)
  3. CSRF protection (CsrfFilter)
  4. Authentication (UsernamePasswordAuthenticationFilter, etc.)
  5. Authorization (AuthorizationFilter)
  6. Exception handling (ExceptionTranslationFilter)
  7. Session management (SessionManagementFilter)

Capabilities

Filter Chain Infrastructure

The core filter chain infrastructure manages the security filter chain and delegates requests to appropriate security filters.

package org.springframework.security.web;

import jakarta.servlet.Filter;
import jakarta.servlet.FilterChain;
import jakarta.servlet.ServletRequest;
import jakarta.servlet.ServletResponse;
import java.util.List;

/**
 * Delegates Filter requests to a list of Spring-managed filter beans.
 * Central entry point for Spring Security web support.
 */
public class FilterChainProxy extends GenericFilterBean {
    public FilterChainProxy();
    public FilterChainProxy(SecurityFilterChain chain);
    public FilterChainProxy(List<SecurityFilterChain> filterChains);
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain);
    public List<SecurityFilterChain> getFilterChains();
    public List<Filter> getFilters(String url);
    public void setFirewall(HttpFirewall firewall);
    public void setRequestRejectedHandler(RequestRejectedHandler requestRejectedHandler);
    public void setSecurityContextHolderStrategy(SecurityContextHolderStrategy strategy);
    public void setFilterChainValidator(FilterChainValidator filterChainValidator);
    public void setFilterChainDecorator(FilterChainDecorator filterChainDecorator);
}

/**
 * Defines a filter chain capable of being matched against an HttpServletRequest.
 */
public interface SecurityFilterChain {
    boolean matches(HttpServletRequest request);
    List<Filter> getFilters();
}

/**
 * Used to commence an authentication scheme when authentication is required.
 */
public interface AuthenticationEntryPoint {
    void commence(HttpServletRequest request, HttpServletResponse response,
                  AuthenticationException authException) throws IOException, ServletException;
}

Filter Chain Infrastructure

Authentication Filters

Authentication filters handle various authentication mechanisms including form login, HTTP Basic, remember-me, and one-time tokens.

package org.springframework.security.web.authentication;

import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;

/**
 * Processes authentication form submissions (username/password).
 */
public class UsernamePasswordAuthenticationFilter extends AbstractAuthenticationProcessingFilter {
    public static final String SPRING_SECURITY_FORM_USERNAME_KEY = "username";
    public static final String SPRING_SECURITY_FORM_PASSWORD_KEY = "password";
    
    public UsernamePasswordAuthenticationFilter();
    public UsernamePasswordAuthenticationFilter(AuthenticationManager authenticationManager);
    public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response);
    public void setUsernameParameter(String usernameParameter);
    public void setPasswordParameter(String passwordParameter);
    public void setPostOnly(boolean postOnly);
}

/**
 * Generic authentication filter that uses AuthenticationConverter and AuthenticationManager.
 */
public class AuthenticationFilter extends OncePerRequestFilter {
    public AuthenticationFilter(AuthenticationManager authenticationManager,
                                 AuthenticationConverter authenticationConverter);
    public AuthenticationFilter(AuthenticationManagerResolver<HttpServletRequest> authenticationManagerResolver,
                                 AuthenticationConverter authenticationConverter);
    public RequestMatcher getRequestMatcher();
    public void setRequestMatcher(RequestMatcher requestMatcher);
    public AuthenticationConverter getAuthenticationConverter();
    public void setAuthenticationConverter(AuthenticationConverter authenticationConverter);
    public AuthenticationSuccessHandler getSuccessHandler();
    public void setSuccessHandler(AuthenticationSuccessHandler successHandler);
    public AuthenticationFailureHandler getFailureHandler();
    public void setFailureHandler(AuthenticationFailureHandler failureHandler);
    public AuthenticationManagerResolver<HttpServletRequest> getAuthenticationManagerResolver();
    public void setAuthenticationManagerResolver(AuthenticationManagerResolver<HttpServletRequest> resolver);
    public void setMfaEnabled(boolean mfaEnabled);
    public void setSecurityContextRepository(SecurityContextRepository securityContextRepository);
    public void setSecurityContextHolderStrategy(SecurityContextHolderStrategy strategy);
}

/**
 * Strategy for handling successful authentication.
 */
public interface AuthenticationSuccessHandler {
    void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response,
                                  Authentication authentication) throws IOException, ServletException;
}

/**
 * Strategy for handling failed authentication.
 */
public interface AuthenticationFailureHandler {
    void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response,
                                  AuthenticationException exception) throws IOException, ServletException;
}

Authentication Filters

Authorization

Authorization controls restrict access to resources based on user permissions and roles.

package org.springframework.security.web.access.intercept;

import jakarta.servlet.FilterChain;
import jakarta.servlet.ServletRequest;
import jakarta.servlet.ServletResponse;
import org.springframework.security.authorization.AuthorizationManager;

/**
 * Authorization filter that restricts access using AuthorizationManager.
 */
public class AuthorizationFilter extends OncePerRequestFilter {
    public AuthorizationFilter(AuthorizationManager<HttpServletRequest> authorizationManager);
    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain chain);
    public void setSecurityContextHolderStrategy(SecurityContextHolderStrategy strategy);
    public void setAuthorizationEventPublisher(AuthorizationEventPublisher eventPublisher);
    public void setObserveOncePerRequest(boolean observeOncePerRequest);
}
package org.springframework.security.web.access;

import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import org.springframework.security.access.AccessDeniedException;

/**
 * Handles access denied failures.
 */
public interface AccessDeniedHandler {
    void handle(HttpServletRequest request, HttpServletResponse response,
                AccessDeniedException accessDeniedException) throws IOException, ServletException;
}

/**
 * Handles any AccessDeniedException and AuthenticationException thrown within the filter chain.
 */
public class ExceptionTranslationFilter extends GenericFilterBean {
    public ExceptionTranslationFilter(AuthenticationEntryPoint authenticationEntryPoint);
    public ExceptionTranslationFilter(AuthenticationEntryPoint authenticationEntryPoint,
                                       RequestCache requestCache);
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain);
    public void setAccessDeniedHandler(AccessDeniedHandler accessDeniedHandler);
}

Authorization and Access Control

CSRF Protection

Cross-Site Request Forgery (CSRF) protection generates and validates tokens to prevent unauthorized commands.

package org.springframework.security.web.csrf;

import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;

/**
 * Represents expected CSRF token information.
 */
public interface CsrfToken {
    String getHeaderName();
    String getParameterName();
    String getToken();
}

/**
 * Manages CSRF token generation, storage, and retrieval.
 */
public interface CsrfTokenRepository {
    CsrfToken generateToken(HttpServletRequest request);
    void saveToken(CsrfToken token, HttpServletRequest request, HttpServletResponse response);
    CsrfToken loadToken(HttpServletRequest request);
}

/**
 * Applies CSRF protection to incoming requests.
 */
public final class CsrfFilter extends OncePerRequestFilter {
    public CsrfFilter(CsrfTokenRepository tokenRepository);
    public void setRequireCsrfProtectionMatcher(RequestMatcher requireCsrfProtectionMatcher);
    public void setAccessDeniedHandler(AccessDeniedHandler accessDeniedHandler);
    public void setCsrfTokenRequestHandler(CsrfTokenRequestHandler requestHandler);
}

/**
 * HTTP session-based CSRF token repository.
 */
public final class HttpSessionCsrfTokenRepository implements CsrfTokenRepository {
    public HttpSessionCsrfTokenRepository();
    public void setParameterName(String parameterName);
    public void setHeaderName(String headerName);
    public void setSessionAttributeName(String sessionAttributeName);
}

CSRF Protection

Session Management

Session management controls session fixation protection, concurrent session control, and session authentication strategy.

package org.springframework.security.web.authentication.session;

import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import org.springframework.security.core.Authentication;

/**
 * Strategy for handling session-related activity during authentication.
 */
public interface SessionAuthenticationStrategy {
    void onAuthentication(Authentication authentication, HttpServletRequest request,
                          HttpServletResponse response) throws SessionAuthenticationException;
}

/**
 * Protects against session fixation attacks by migrating the session.
 */
public class ChangeSessionIdAuthenticationStrategy implements SessionAuthenticationStrategy {
    public void onAuthentication(Authentication authentication, HttpServletRequest request,
                                  HttpServletResponse response);
}

/**
 * Controls concurrent session limits per user.
 */
public class ConcurrentSessionControlAuthenticationStrategy implements SessionAuthenticationStrategy {
    public ConcurrentSessionControlAuthenticationStrategy(SessionRegistry sessionRegistry);
    public void setMaximumSessions(int maximumSessions);
    public void setExceptionIfMaximumExceeded(boolean exceptionIfMaximumExceeded);
}
package org.springframework.security.web.session;

import jakarta.servlet.FilterChain;
import jakarta.servlet.ServletRequest;
import jakarta.servlet.ServletResponse;

/**
 * Detects session authentication events and handles session-related behavior.
 */
public class SessionManagementFilter extends GenericFilterBean {
    public SessionManagementFilter(SecurityContextRepository securityContextRepository,
                                    SessionAuthenticationStrategy sessionAuthenticationStrategy);
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain);
    public void setInvalidSessionStrategy(InvalidSessionStrategy invalidSessionStrategy);
}

Session Management

Security Context Persistence

Security context persistence manages storage and retrieval of authentication information between requests.

package org.springframework.security.web.context;

import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import org.springframework.security.core.context.SecurityContext;

/**
 * Strategy for persisting SecurityContext between requests.
 */
public interface SecurityContextRepository {
    SecurityContext loadContext(HttpRequestResponseHolder requestResponseHolder);
    DeferredSecurityContext loadDeferredContext(HttpServletRequest request);
    void saveContext(SecurityContext context, HttpServletRequest request, HttpServletResponse response);
    boolean containsContext(HttpServletRequest request);
}

/**
 * Stores security context in HttpSession.
 */
public class HttpSessionSecurityContextRepository implements SecurityContextRepository {
    public static final String SPRING_SECURITY_CONTEXT_KEY = "SPRING_SECURITY_CONTEXT";
    
    public HttpSessionSecurityContextRepository();
    public void setAllowSessionCreation(boolean allowSessionCreation);
    public void setDisableUrlRewriting(boolean disableUrlRewriting);
    public void setSpringSecurityContextKey(String springSecurityContextKey);
}

/**
 * Loads and stores SecurityContext using SecurityContextRepository.
 */
public class SecurityContextHolderFilter extends OncePerRequestFilter {
    public SecurityContextHolderFilter(SecurityContextRepository securityContextRepository);
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain);
    public void setSecurityContextHolderStrategy(SecurityContextHolderStrategy strategy);
}

Security Context Persistence

Security Headers

Security headers add HTTP response headers that enhance application security (CSP, HSTS, X-Frame-Options, etc.).

package org.springframework.security.web.header;

import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;

/**
 * Writes security headers to HTTP response.
 */
public interface HeaderWriter {
    void writeHeaders(HttpServletRequest request, HttpServletResponse response);
}

/**
 * Filter that adds security headers to the response.
 */
public class HeaderWriterFilter extends OncePerRequestFilter {
    public HeaderWriterFilter(List<HeaderWriter> headerWriters);
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain filterChain);
    public void setShouldWriteHeadersEagerly(boolean shouldWriteHeadersEagerly);
}

Security Headers

Request Matching

Request matchers provide flexible patterns for matching HTTP requests in security rules.

package org.springframework.security.web.util.matcher;

import jakarta.servlet.http.HttpServletRequest;

/**
 * Strategy for matching HTTP requests.
 */
public interface RequestMatcher {
    boolean matches(HttpServletRequest request);
    
    /**
     * Detailed match result with variables.
     */
    interface MatchResult {
        boolean isMatch();
        Map<String, String> getVariables();
    }
    
    default MatchResult matcher(HttpServletRequest request) {
        // Default implementation
    }
}

/**
 * Matches requests using Spring PathPattern expressions (since 6.5).
 */
public final class PathPatternRequestMatcher implements RequestMatcher {
    public static PathPatternRequestMatcher pathPattern(String pattern);
    public static PathPatternRequestMatcher pathPattern(HttpMethod method, String pattern);
    public static Builder withDefaults();
    public static Builder withPathPatternParser(PathPatternParser parser);
    public boolean matches(HttpServletRequest request);
    public MatchResult matcher(HttpServletRequest request);

    /**
     * Builder for creating PathPatternRequestMatcher with base path support.
     */
    public static final class Builder {
        public Builder basePath(String basePath);
        public PathPatternRequestMatcher matcher(String path);
        public PathPatternRequestMatcher matcher(HttpMethod method, String path);
    }
}

/**
 * Matches requests using regular expressions.
 */
public final class RegexRequestMatcher implements RequestMatcher {
    public RegexRequestMatcher(String pattern, String httpMethod);
    public RegexRequestMatcher(String pattern, String httpMethod, boolean caseInsensitive);
    public boolean matches(HttpServletRequest request);
}

Request Matching

HTTP Firewall

HTTP firewall validates incoming requests and rejects potentially malicious requests.

package org.springframework.security.web.firewall;

import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;

/**
 * Validates requests and provides wrapped request/response objects.
 */
public interface HttpFirewall {
    FirewalledRequest getFirewalledRequest(HttpServletRequest request) throws RequestRejectedException;
    HttpServletResponse getFirewalledResponse(HttpServletResponse response);
}

/**
 * Strict HTTP firewall that rejects suspicious requests.
 */
public class StrictHttpFirewall implements HttpFirewall {
    public StrictHttpFirewall();
    public void setUnsafeAllowAnyHttpMethod(boolean unsafeAllowAnyHttpMethod);
    public void setAllowedHttpMethods(Collection<String> allowedHttpMethods);
    public void setAllowSemicolon(boolean allowSemicolon);
    public void setAllowUrlEncodedSlash(boolean allowUrlEncodedSlash);
    public void setAllowUrlEncodedDoubleSlash(boolean allowUrlEncodedDoubleSlash);
    public void setAllowUrlEncodedPeriod(boolean allowUrlEncodedPeriod);
    public void setAllowUrlEncodedPercent(boolean allowUrlEncodedPercent);
    public void setAllowBackSlash(boolean allowBackSlash);
    public void setAllowNull(boolean allowNull);
    public void setAllowUrlEncodedCarriageReturn(boolean allowUrlEncodedCarriageReturn);
    public void setAllowUrlEncodedLineFeed(boolean allowUrlEncodedLineFeed);
    public void setAllowUrlEncodedParagraphSeparator(boolean allow);
    public void setAllowUrlEncodedLineSeparator(boolean allow);
    public void setAllowedHeaderNames(Predicate<String> allowedHeaderNames);
    public void setAllowedHeaderValues(Predicate<String> allowedHeaderValues);
    public void setAllowedParameterNames(Predicate<String> allowedParameterNames);
    public void setAllowedParameterValues(Predicate<String> allowedParameterValues);
    public void setAllowedHostnames(Predicate<String> allowedHostnames);
    public Set<String> getEncodedUrlBlocklist();
    public Set<String> getDecodedUrlBlocklist();
}

/**
 * Thrown when a request is rejected by the firewall.
 */
public class RequestRejectedException extends RuntimeException {
    public RequestRejectedException(String message);
}

HTTP Firewall

Saved Requests

Saved requests cache the original request so users can be redirected to their intended destination after authentication.

package org.springframework.security.web.savedrequest;

import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;

/**
 * Caches and retrieves saved requests.
 */
public interface RequestCache {
    void saveRequest(HttpServletRequest request, HttpServletResponse response);
    SavedRequest getRequest(HttpServletRequest request, HttpServletResponse response);
    HttpServletRequest getMatchingRequest(HttpServletRequest request, HttpServletResponse response);
    void removeRequest(HttpServletRequest request, HttpServletResponse response);
}

/**
 * Represents a cached HTTP request.
 */
public interface SavedRequest {
    String getRedirectUrl();
    List<Cookie> getCookies();
    String getMethod();
    List<String> getHeaderValues(String name);
    Collection<String> getHeaderNames();
    List<Locale> getLocales();
    String[] getParameterValues(String name);
    Map<String, String[]> getParameterMap();
}

/**
 * HTTP session-based request cache.
 */
public class HttpSessionRequestCache implements RequestCache {
    public HttpSessionRequestCache();
    public void setRequestMatcher(RequestMatcher requestMatcher);
    public void setSessionAttrName(String sessionAttrName);
    public void setCreateSessionAllowed(boolean createSessionAllowed);
}

Saved Requests

Logout

Logout handling manages user logout operations, clearing security contexts and invalidating sessions.

package org.springframework.security.web.authentication.logout;

import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import org.springframework.security.core.Authentication;

/**
 * Participates in logout handling.
 */
public interface LogoutHandler {
    void logout(HttpServletRequest request, HttpServletResponse response, Authentication authentication);
}

/**
 * Strategy for handling successful logout.
 */
public interface LogoutSuccessHandler {
    void onLogoutSuccess(HttpServletRequest request, HttpServletResponse response,
                         Authentication authentication) throws IOException, ServletException;
}

/**
 * Processes logout requests.
 */
public class LogoutFilter extends GenericFilterBean {
    public LogoutFilter(LogoutSuccessHandler logoutSuccessHandler, LogoutHandler... handlers);
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain);
    public void setLogoutRequestMatcher(RequestMatcher logoutRequestMatcher);
}

/**
 * Clears SecurityContextHolder and invalidates session.
 */
public class SecurityContextLogoutHandler implements LogoutHandler {
    public SecurityContextLogoutHandler();
    public void logout(HttpServletRequest request, HttpServletResponse response, Authentication authentication);
    public void setInvalidateHttpSession(boolean invalidateHttpSession);
    public void setClearAuthentication(boolean clearAuthentication);
}

Logout Handling

Servlet API Integration

Servlet API integration provides wrappers that integrate Spring Security with the standard Jakarta Servlet API.

package org.springframework.security.web.servletapi;

import jakarta.servlet.http.HttpServletRequest;
import java.security.Principal;

/**
 * Wraps HttpServletRequest to integrate Spring Security with Servlet API.
 */
public class SecurityContextHolderAwareRequestWrapper extends HttpServletRequestWrapper {
    public SecurityContextHolderAwareRequestWrapper(HttpServletRequest request, String rolePrefix);
    public String getRemoteUser();
    public Principal getUserPrincipal();
    public boolean isUserInRole(String role);
    public Authentication getAuthentication();
}

Servlet API Integration

Reactive Security (WebFlux)

Reactive security provides complete WebFlux equivalents of servlet-based security for reactive applications.

package org.springframework.security.web.server;

import org.springframework.web.server.ServerWebExchange;
import org.springframework.web.server.WebFilter;
import org.springframework.web.server.WebFilterChain;
import reactor.core.publisher.Mono;

/**
 * Defines a security filter chain for reactive applications.
 */
public interface SecurityWebFilterChain {
    Mono<Boolean> matches(ServerWebExchange exchange);
    Flux<WebFilter> getWebFilters();
}

/**
 * WebFilter that implements the security filter chain for reactive applications.
 */
public class WebFilterChainProxy implements WebFilter {
    public WebFilterChainProxy(List<SecurityWebFilterChain> filters);
    public Mono<Void> filter(ServerWebExchange exchange, WebFilterChain chain);
}
package org.springframework.security.web.server.authentication;

import org.springframework.web.server.ServerWebExchange;
import reactor.core.publisher.Mono;

/**
 * Reactive authentication manager for WebFlux applications.
 */
public interface ServerAuthenticationConverter {
    Mono<Authentication> convert(ServerWebExchange exchange);
}

/**
 * Performs authentication in reactive applications.
 */
public class AuthenticationWebFilter implements WebFilter {
    public AuthenticationWebFilter(ReactiveAuthenticationManager authenticationManager);
    public Mono<Void> filter(ServerWebExchange exchange, WebFilterChain chain);
    public void setServerAuthenticationConverter(ServerAuthenticationConverter converter);
    public void setAuthenticationSuccessHandler(ServerAuthenticationSuccessHandler successHandler);
    public void setAuthenticationFailureHandler(ServerAuthenticationFailureHandler failureHandler);
}

Reactive Security (WebFlux)

Additional Topics

Remember-Me Services

Automatic login persistence across browser sessions using secure tokens.

Remember-Me Authentication

One-Time Token (OTT) Authentication

Passwordless authentication using one-time tokens delivered via email or SMS.

One-Time Token Authentication

Pre-Authentication

Integration with external authentication systems (J2EE, WebSphere, X.509 certificates).

Pre-Authentication

Switch User

Allows administrators to impersonate other users for support and testing.

Switch User

Jackson Integration

JSON serialization support for security objects using Jackson.

Jackson Integration

Annotation Support

Spring MVC integration with security annotations.

Annotation Support