Find the Registered Spring Security Filters

1. Overview

Spring Security is based on a chain of servlet filters. Each filter has a specific responsibility and depending on the configuration, filters are added or removed.

In this tutorial, we’ll discuss different ways to find the registered Spring Security Filters.

2. Security Debugging

First, we’ll enable security debugging which will log detailed security information on each request.

We can enable security debugging using the debug property:

@EnableWebSecurity(debug = true)

This way, when we send a request to the server, all the request information will be logged.

We’ll also be able to see the entire security filter chain:

Security filter chain: [
  WebAsyncManagerIntegrationFilter
  SecurityContextPersistenceFilter
  HeaderWriterFilter
  LogoutFilter
  UsernamePasswordAuthenticationFilter
  // ...
]

3. Logging

Next, we’ll find our security filters by enabling the logging for the FilterChainProxy.

We can enable logging by adding the following line to application.properties:

logging.level.org.springframework.security.web.FilterChainProxy=DEBUG

Here’s the related log:

DEBUG o.s.security.web.FilterChainProxy - /foos/1 at position 1 of 12 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
DEBUG o.s.security.web.FilterChainProxy - /foos/1 at position 2 of 12 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
DEBUG o.s.security.web.FilterChainProxy - /foos/1 at position 3 of 12 in additional filter chain; firing Filter: 'HeaderWriterFilter'
DEBUG o.s.security.web.FilterChainProxy - /foos/1 at position 4 of 12 in additional filter chain; firing Filter: 'LogoutFilter'
DEBUG o.s.security.web.FilterChainProxy - /foos/1 at position 5 of 12 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
...

4. Obtaining the Filters Programmatically

Now, we’ll see how to obtain the registered security filters programmatically.

We’ll use FilterChainProxy to get the security filters.

First, let’s autowire the springSecurityFilterChain bean:

@Autowired
@Qualifier("springSecurityFilterChain")
private Filter springSecurityFilterChain;

Here, we used a @Qualifier with the name springSecurityFilterChain with type Filter instead of FilterChainProxy. This is because the method of springSecurityFilterChain() in WebSecurityConfiguration, which creates the Spring Security filter chain, return type Filter and not FilterChainProxy.

Next, we’ll cast this object to FilterChainProxy and call the getFilterChains() method:

public void getFilters() {
    FilterChainProxy filterChainProxy = (FilterChainProxy) springSecurityFilterChain;
    List<SecurityFilterChain> list = filterChainProxy.getFilterChains();
    list.stream()
      .flatMap(chain -> chain.getFilters().stream()) 
      .forEach(filter -> System.out.println(filter.getClass()));
}

And here’s a sample output:

class org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter
class org.springframework.security.web.context.SecurityContextPersistenceFilter
class org.springframework.security.web.header.HeaderWriterFilter
class org.springframework.security.web.authentication.logout.LogoutFilter
class org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter
...

Note that since Spring Security 3.1, FilterChainProxy is configured using a list of SecurityFilterChain. However, most applications need only one SecurityFilterChain.

5. Important Spring Security Filters

Finally, let’s take a look at some of the important security filters:

  • UsernamePasswordAuthenticationFilter: process authentication, responds by default to “/login” URL
  • AnonymousAuthenticationFilter: when there’s no authentication object in SecurityContextHolder, it creates an anonymous authentication object and put it there
  • FilterSecurityInterceptor: raise exceptions when access is denied
  • ExceptionTranslationFilter: catch Spring Security exceptions

6. Conclusion

In this quick articles, we explored how to find the registered Spring Security filters programmatically and using logs.

As always, source code can be found over on GitHub.

Related posts:

Java Program to Perform Inorder Non-Recursive Traversal of a Given Binary Tree
HandlerAdapters in Spring MVC
Java Program to Implement Efficient O(log n) Fibonacci generator
XML-Based Injection in Spring
Java Program to Generate All Subsets of a Given Set in the Lexico Graphic Order
Java Program to Use rand and srand Functions
Java Program to Sort an Array of 10 Elements Using Heap Sort Algorithm
Ép kiểu trong Java (Type casting)
The Difference Between Collection.stream().forEach() and Collection.forEach()
Bootstrapping Hibernate 5 with Spring
Exploring the Spring Boot TestRestTemplate
Java Program to Find Second Smallest of n Elements with Given Complexity Constraint
Spring WebClient Requests with Parameters
Java Program to Perform Cryptography Using Transposition Technique
Spring REST API + OAuth2 + Angular (using the Spring Security OAuth legacy stack)
Java Program to Check whether Graph is a Bipartite using BFS
Runnable vs. Callable in Java
Toán tử instanceof trong java
Java Program to implement Array Deque
Convert a Map to an Array, List or Set in Java
File Upload with Spring MVC
Java Program to Represent Graph Using Incidence Matrix
Java Program to Implement Extended Euclid Algorithm
Java Program to Find Minimum Number of Edges to Cut to make the Graph Disconnected
Java Program to implement Bi Directional Map
Spring MVC Tutorial
Send an email with an attachment
A Guide to the ResourceBundle
Quick Intro to Spring Cloud Configuration
Tránh lỗi NullPointerException trong Java như thế nào?
Default Password Encoder in Spring Security 5
Guide to CountDownLatch in Java