Understand Spring Security Filters
Alias |
Namespace Element/Attribute |
<http> |
<http>/@auto-config |
Filter Class |
CHANNEL_FILTER |
http/intercept-url@requires-channel |
|
|
ChannelProcessingFilter |
CONCURRENT_SESSION_FILTER |
session-management/concurrency-control |
|
|
ConcurrentSessionFilter |
SECURITY_CONTEXT_FILTER |
http |
Y |
|
SecurityContextPersistenceFilter |
LOGOUT_FILTER |
http/logout |
|
Y |
LogoutFilter |
X509_FILTER |
http/x509 |
|
|
X509AuthenticationFilter |
PRE_AUTH_FILTER |
|
|
|
AstractPreAuthenticatedProcessingFilter |
CAS_FILTER |
|
|
|
CasAuthenticationFilter |
FORM_LOGIN_FILTER |
http/form-login |
|
Y |
UsernamePasswordAuthenticationFilter |
BASIC_AUTH_FILTER |
http/http-basic |
|
Y |
BasicAuthenticationFilter |
SERVLET_API_SUPPORT_FILTER |
http/@servlet-api-provision |
|
? |
SecurityContextHolderAwareFilter |
JAAS_API_SUPPORT_FILTER |
http/@jaas-api-provision |
|
|
JaasApiIntegrationFilter |
REMEMBER_ME_FILTER |
http/remember-me |
|
|
RememberMeAuthenticationFilter |
ANONYMOUS_FILTER |
http/anonymous |
Y |
|
AnonymousAuthenticationFilter |
SESSION_MANAGEMENT_FILTER |
session-management |
Y |
|
SessionManagementFilter |
EXCEPTION_TRANSLATION_FILTER |
http |
Y |
|
ExceptionTranslationFilter |
FILTER_SECURITY_INTERCEPTOR |
http |
Y |
|
FilterSecurityInterceptor |
SWITCH_USER_FILTER |
|
|
|
SwitchUserFilter |
Table 1. Spring Security Standard Filters and Ordering
About <http> and <http>/@auto-config
The Spring Security Documentation is not very clear about what filters are added by <http> (with or without auto-config="true") - there seems to be some conflicting information in Section 3 and Appendix B.1.2. Based on my understanding, it looks like the appendix is outdated. In particular, since 3.0, auto-config no longer adds REMEMBER_ME_FILTER, and the generally useful filters ANONYMOUS_FILTER and SESSION_MANAGEMENT_FILTER are now added by <http> instead of auto-config. I'm still not sure whether auto-config still adds SERVLTE_API_SUPPORT_FILTER though.
|