Win a copy of Modern JavaScript for the Impatient this week in the Server-Side JavaScript and NodeJS forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Ron McLeod
  • Paul Clapham
  • Bear Bibeault
  • Junilu Lacar
Sheriffs:
  • Jeanne Boyarsky
  • Tim Cooke
  • Henry Wong
Saloon Keepers:
  • Tim Moores
  • Stephan van Hulst
  • Tim Holloway
  • salvin francis
  • Frits Walraven
Bartenders:
  • Scott Selikoff
  • Piet Souris
  • Carey Brown

Spring security filters are different from what Spring document says

 
Bartender
Posts: 1944
13
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi everyone,
I executed my instructor's code and put a breakpoint at DefaultSecurityFilterChain's constructor.
I notice the order of the filters in the chain include:

0 = WebAsyncManagerIntegrationFilter
1 = SecurityContextPersistenceFilter
2 = HeaderWriterFilter
3 = CsrfFilter
4 =  CustomerRequestParameterAuthenticationFilter (My instructor adds it)
5 =  LogoutFilter ( My instructor adds it)
6 = UsernamePasswordAuthenticationFilter
7 = RequestCacheAwareFilter
8 = SecurityContextHolderAwareRequestFilter
9 = AnonymousAuthenticationFilter
10 = SessionManagementFilter
11 = ExceptionTranslationFilter
12 = FilterSecurityInterceptor

However, in Spring 5.1.1.Release , the filter ordering is different from what I saw. The document lists:

0 = ChannelProcessingFilter
1 = SecurityContextPersistenceFilter
2 = ConcurrentSessionFilter
3 = UsernamePaswordAuthenticationFilter, CasAuthenticationFilter, BasicAuthenticationFilter
4 = SecurityContextHolderAwareRequestFilter
5 = JaasApiIntegrationFilter
6 = RememberMeAuthenticationFilter
7 = AnonymousAuthenticationFilter
8 = ExceptionTranslationFilter
9 = FilterSecurityInterceptor

Reference: https://docs.spring.io/spring-security/site/docs/5.1.1.RELEASE/reference/htmlsingle/#filter-ordering

Why the filter chain in my instructor's example is different from the document?

Thanks.
 
Saloon Keeper
Posts: 12251
259
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Spring Security is a broad framework that can be used in many different kinds of applications. Since it's so broad, it can't give a definite list of filters that is to be used in a specific application.

The example given by your instructor is a web application, and the DefaultSecurityFilterChain contains filters that are appropriate for a web application. For instance, a CSRF filter will only be used in web applications, not in all applications that use Spring Security.
 
    Bookmark Topic Watch Topic
  • New Topic