Understand Spring Security Filters
Alias |
Namespace Element/Attribute |
<http> |
<http>/@auto-config |
Filter Class |
CHANNEL_FILTER |
http/intercept-url@requires-channel |
|
|
ChannelProcessingFilter |
CONCURRENT_SESSION_FILTER |
session-management/concurrency-control |
|
|
ConcurrentSessionFilter |
SECURITY_CONTEXT_FILTER |
http |
Y |
|
SecurityContextPersistenceFilter |
LOGOUT_FILTER |
http/logout |
|
Y |
LogoutFilter |
X509_FILTER |
http/x509 |
|
|
X509AuthenticationFilter |
PRE_AUTH_FILTER |
|
|
|
AstractPreAuthenticatedProcessingFilter |
CAS_FILTER |
|
|
|
CasAuthenticationFilter |
FORM_LOGIN_FILTER |
http/form-login |
|
Y |
UsernamePasswordAuthenticationFilter |
BASIC_AUTH_FILTER |
http/http-basic |
|
Y |
BasicAuthenticationFilter |
SERVLET_API_SUPPORT_FILTER |
http/@servlet-api-provision |
|
? |
SecurityContextHolderAwareFilter |
JAAS_API_SUPPORT_FILTER |
http/@jaas-api-provision |
|
|
JaasApiIntegrationFilter |
REMEMBER_ME_FILTER |
http/remember-me |
|
|
RememberMeAuthenticationFilter |
ANONYMOUS_FILTER |
http/anonymous |
Y |
|
AnonymousAuthenticationFilter |
SESSION_MANAGEMENT_FILTER |
session-management |
Y |
|
SessionManagementFilter |
EXCEPTION_TRANSLATION_FILTER |
http |
Y |
|
ExceptionTranslationFilter |
FILTER_SECURITY_INTERCEPTOR |
http |
Y |
|
FilterSecurityInterceptor |
SWITCH_USER_FILTER |
|
|
|
SwitchUserFilter |
Table 1. Spring Security Standard Filters and Ordering
About <http> and <http>/@auto-config
The Spring Security Documentation is not very clear about what filters are added by <http> (with or without auto-config="true") - there seems to be some conflicting information in Section 3 and Appendix B.1.2. Based on my understanding, it looks like the appendix is outdated. In particular, since 3.0, auto-config no longer adds REMEMBER_ME_FILTER, and the generally useful filters ANONYMOUS_FILTER and SESSION_MANAGEMENT_FILTER are now added by <http> instead of auto-config. I'm still not sure whether auto-config still adds SERVLTE_API_SUPPORT_FILTER though.
Custom Filters
Use the following syntax to add custom filters or to replace standard ones:
<http>
<custom-filter position="FORM_LOGIN_FILTER" ref="myFilter1" />
<custom-filter before="FORM_LOGIN_FILTER" ref="myFilter2" />
<custom-filter after="FORM_LOGIN_FILTER" ref="myFilter3" />
</http>
Note that you cannot insert a custom filter at the position of a standard one if the standard one is already included by the namespace configuration (e.g. by <http> or <http>/@auto-config).
|