Find the Registered Spring Security Filters

2021 VietMX JAVA 0

1. Overview

Spring Security is based on a chain of servlet filters. Each filter has a specific responsibility and depending on the configuration, filters are added or removed.

In this tutorial, we’ll discuss different ways to find the registered Spring Security Filters.

2. Security Debugging

First, we’ll enable security debugging which will log detailed security information on each request.

We can enable security debugging using the debug property:

@EnableWebSecurity(debug = true)

This way, when we send a request to the server, all the request information will be logged.

We’ll also be able to see the entire security filter chain:

Security filter chain: [
  WebAsyncManagerIntegrationFilter
  SecurityContextPersistenceFilter
  HeaderWriterFilter
  LogoutFilter
  UsernamePasswordAuthenticationFilter
  // ...
]

3. Logging

Next, we’ll find our security filters by enabling the logging for the FilterChainProxy.

We can enable logging by adding the following line to application.properties:

logging.level.org.springframework.security.web.FilterChainProxy=DEBUG

Here’s the related log:

DEBUG o.s.security.web.FilterChainProxy - /foos/1 at position 1 of 12 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
DEBUG o.s.security.web.FilterChainProxy - /foos/1 at position 2 of 12 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
DEBUG o.s.security.web.FilterChainProxy - /foos/1 at position 3 of 12 in additional filter chain; firing Filter: 'HeaderWriterFilter'
DEBUG o.s.security.web.FilterChainProxy - /foos/1 at position 4 of 12 in additional filter chain; firing Filter: 'LogoutFilter'
DEBUG o.s.security.web.FilterChainProxy - /foos/1 at position 5 of 12 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
...

4. Obtaining the Filters Programmatically

Now, we’ll see how to obtain the registered security filters programmatically.

We’ll use FilterChainProxy to get the security filters.

First, let’s autowire the springSecurityFilterChain bean:

@Autowired
@Qualifier("springSecurityFilterChain")
private Filter springSecurityFilterChain;

Here, we used a @Qualifier with the name springSecurityFilterChain with type Filter instead of FilterChainProxy. This is because the method of springSecurityFilterChain() in WebSecurityConfiguration, which creates the Spring Security filter chain, return type Filter and not FilterChainProxy.

Next, we’ll cast this object to FilterChainProxy and call the getFilterChains() method:

public void getFilters() {
    FilterChainProxy filterChainProxy = (FilterChainProxy) springSecurityFilterChain;
    List<SecurityFilterChain> list = filterChainProxy.getFilterChains();
    list.stream()
      .flatMap(chain -> chain.getFilters().stream()) 
      .forEach(filter -> System.out.println(filter.getClass()));
}

And here’s a sample output:

class org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter
class org.springframework.security.web.context.SecurityContextPersistenceFilter
class org.springframework.security.web.header.HeaderWriterFilter
class org.springframework.security.web.authentication.logout.LogoutFilter
class org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter
...

Note that since Spring Security 3.1, FilterChainProxy is configured using a list of SecurityFilterChain. However, most applications need only one SecurityFilterChain.

5. Important Spring Security Filters

Finally, let’s take a look at some of the important security filters:

  • UsernamePasswordAuthenticationFilter: process authentication, responds by default to “/login” URL
  • AnonymousAuthenticationFilter: when there’s no authentication object in SecurityContextHolder, it creates an anonymous authentication object and put it there
  • FilterSecurityInterceptor: raise exceptions when access is denied
  • ExceptionTranslationFilter: catch Spring Security exceptions

6. Conclusion

In this quick articles, we explored how to find the registered Spring Security filters programmatically and using logs.

As always, source code can be found over on GitHub.

Related posts:

A Custom Data Binder in Spring MVC
A Guide to BitSet in Java
Java Program to find the maximum subarray sum O(n^2) time(naive method)
Configure a RestTemplate with RestTemplateBuilder
Spring Boot - Runners
Working with Tree Model Nodes in Jackson
Calling Stored Procedures from Spring Data JPA Repositories
Introduction to Netflix Archaius with Spring Cloud
Java Program to Implement Euler Circuit Problem
Hashing a Password in Java
Java Program to Implement Bubble Sort
Java Program to Use the Bellman-Ford Algorithm to Find the Shortest Path
Java Program to Implement Bit Array
Sao chép các phần tử của một mảng sang mảng khác như thế nào?
Guide to Spring 5 WebFlux
Refactoring Design Pattern với tính năng mới trong Java 8
Guide to Mustache with Spring Boot
Deque và ArrayDeque trong Java
Java Program to Implement D-ary-Heap
Guide to the Java Clock Class
Vòng lặp for, while, do-while trong Java
Java Program to Perform the Sorting Using Counting Sort
Java Program to Implement Queue using Two Stacks
Initialize a HashMap in Java
Spring Security Login Page with React
Java Program to Implement Miller Rabin Primality Test Algorithm
Java Program to Implement ArrayDeque API
Multi Dimensional ArrayList in Java
Java Program to Perform Search in a BST
Simultaneous Spring WebClient Calls
Quick Guide to @RestClientTest in Spring Boot
Introduction to the Java NIO2 File API