Spring Security - Filter Chain with Example

Spring Security is a powerful framework used to secure Spring-based web applications. Spring Security internally uses a chain of servlet filters to secure web applications. Every incoming request passes through these filters before accessing application resources.

• Each filter in the chain performs a specific security task.
• Requests pass through multiple filters before reaching the controller.
• Filter ordering is important because filters depend on each other.

Spring Security Filter Chain Architecture

The above diagram shows how requests are processed in Spring Security using a filter chain.

Flow of Request Processing:

• Client Application Sends Request: The client sends an HTTP request to access an application resource.
• Request Enters Filter Chain: The request first passes through the Spring Security Filter Chain.
• Filters Process Request: Multiple security filters process the request one after another.
• Security Validation Happens: Each filter performs tasks like authentication and authorization.
• Request Reaches Controller: After successful validation, the request is forwarded to the Spring MVC Controller.
• Response Sent Back: The controller processes the request and returns the response to the client.

Step-by-Step Implementation of Spring Security Filter Chain

Follow the steps below to understand and implement the Spring Security Filter Chain in a Spring Boot application.

Step 1: Create Project and Configure Apache Tomcat Server

• Open Spring Tool Suite IDE.
• Create a Dynamic Web Project.
• Configure the Apache Tomcat Server with the project.

Before moving to the project let’s have a look at the complete project structure for our Spring MVC application.

Step 2: Add Dependencies to pom.xml File

Add the following dependencies to your pom.xml file

• Spring Web MVC
• Java Servlet API
• Spring Security Config
• Spring Security Web

pom.xml file

<?xml version="1.0" encoding="UTF-8"?>

<project xmlns="https://maven.apache.org/POM/4.0.0" xmlns:xsi="https://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="https://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
  <modelVersion>4.0.0</modelVersion>

  <groupId>com.gfg.springsecurity</groupId>
  <artifactId>springsecurity</artifactId>
  <version>0.0.1-SNAPSHOT</version>
  <packaging>war</packaging>

  <name>springsecurity Maven Webapp</name>
  <!-- FIXME change it to the project's website -->
  <url>http://www.gfg.com</url>

  <properties>
    <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
    <maven.compiler.source>1.7</maven.compiler.source>
    <maven.compiler.target>1.7</maven.compiler.target>
  </properties>

  <dependencies>
  
    <!-- https://mvnrepository.com/artifact/org.springframework/spring-webmvc -->
    <dependency>
        <groupId>org.springframework</groupId>
        <artifactId>spring-webmvc</artifactId>
        <version>5.3.24</version>
    </dependency>
    
    <!-- https://mvnrepository.com/artifact/javax.servlet/javax.servlet-api -->
    <dependency>
        <groupId>javax.servlet</groupId>
        <artifactId>javax.servlet-api</artifactId>
        <version>4.0.1</version>
        <scope>provided</scope>
    </dependency>    
    
    <!-- https://mvnrepository.com/artifact/org.springframework.security/spring-security-config -->
    <dependency>
        <groupId>org.springframework.security</groupId>
        <artifactId>spring-security-config</artifactId>
        <version>5.7.3</version>
    </dependency>
    
    <!-- https://mvnrepository.com/artifact/org.springframework.security/spring-security-web -->
    <dependency>
        <groupId>org.springframework.security</groupId>
        <artifactId>spring-security-web</artifactId>
        <version>5.7.3</version>
    </dependency>
    
  </dependencies>

  <build>
    <finalName>springsecurity</finalName>
    <pluginManagement><!-- lock down plugins versions to avoid using Maven defaults (may be moved to parent pom) -->
      <plugins>
        <plugin>
          <artifactId>maven-clean-plugin</artifactId>
          <version>3.1.0</version>
        </plugin>
        <!-- see https://maven.apache.org/ref/3.9.11/maven-core/default-bindings.html#Plugin_bindings_for_war_packaging -->
        <plugin>
          <artifactId>maven-resources-plugin</artifactId>
          <version>3.0.2</version>
        </plugin>
        <plugin>
          <artifactId>maven-compiler-plugin</artifactId>
          <version>3.8.0</version>
        </plugin>
        <plugin>
          <artifactId>maven-surefire-plugin</artifactId>
          <version>2.22.1</version>
        </plugin>
        <plugin>
          <artifactId>maven-war-plugin</artifactId>
          <version>3.2.2</version>
        </plugin>
        <plugin>
          <artifactId>maven-install-plugin</artifactId>
          <version>2.5.2</version>
        </plugin>
        <plugin>
          <artifactId>maven-deploy-plugin</artifactId>
          <version>2.8.2</version>
        </plugin>
      </plugins>
    </pluginManagement>
  </build>
</project>

Step 4: Configure Dispatcher Servlet

Go to the src > main > java and create a class WebAppInitilizer.

• Dispatcher Servlet handles incoming requests.
• Replaces traditional web.xml configuration.

WebAppInitilizer.java

package com.gfg.config;

import org.springframework.web.servlet.support.AbstractAnnotationConfigDispatcherServletInitializer;

public class WebAppInitilizer extends 
               AbstractAnnotationConfigDispatcherServletInitializer {

    @Override
    protected Class<?>[] getRootConfigClasses() {
        // TODO Auto-generated method stub
        return null;
    }

    @Override
    protected Class<?>[] getServletConfigClasses() {
        Class[] configFiles = {MyAppConfig.class};
        return configFiles;
    }

    @Override
    protected String[] getServletMappings() {
        String[] mappings = {"/"};
        return mappings;
    }

}

Step 5: Configure Spring MVC

Create another class in the same location (src > main > java) and name it MyAppConfig.

• @EnableWebMvc enables Spring MVC features.
• @ComponentScan automatically scans Spring components.

MyAppConfig.java

package com.gfg.config;

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.ComponentScan;
import org.springframework.context.annotation.Configuration;
import org.springframework.web.servlet.config.annotation.EnableWebMvc;
import org.springframework.web.servlet.view.InternalResourceViewResolver;

@Configuration
@EnableWebMvc
@ComponentScan("com")
public class MyAppConfig {

}

Step 6: Create Spring MVC Controller

Go to the src > main > java and create a class GfgController.

• @Controller marks the class as a Spring MVC controller.
• @GetMapping handles HTTP GET requests.

GfgController.java

package com.gfg.controller;

import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.GetMapping;

@Controller
public class GfgController {
    
    @GetMapping("/gfg")
    public String helloGfg() {
        return "hello-gfg";
    }
    
}

Step 7: Create Spring MVC View

Create a JSP file named hello-gfg.jsp inside: /WEB-INF/views/.

• JSP files are used to display web pages.
• WEB-INF protects JSP files from direct browser access.

hello-gfg.jsp

<!DOCTYPE html>
<html>
<body bgcolor="green">
    <h1>Hello GeeksforGeeks!</h1>
</body>
</html>

Step 8: Configure ViewResolver

Add ViewResolver configuration inside MyAppConfig.java.

• ViewResolver maps logical view names to JSP files.
• setPrefix() defines JSP folder location.

MyAppConfig.java

package com.gfg.config;

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.ComponentScan;
import org.springframework.context.annotation.Configuration;
import org.springframework.web.servlet.config.annotation.EnableWebMvc;
import org.springframework.web.servlet.view.InternalResourceViewResolver;

@Configuration
@EnableWebMvc
@ComponentScan("com")
public class MyAppConfig {
    
    @Bean
    InternalResourceViewResolver viewResolver() {
        InternalResourceViewResolver viewResolver = new InternalResourceViewResolver();
        viewResolver.setPrefix("/WEB-INF/views/");
        viewResolver.setSuffix(".jsp");
        return viewResolver;
    }

}

Step 9: Configure Spring Security Filter Chain

Create the MySecurityAppConfig.java class.

• @EnableWebSecurity enables Spring Security.
• Creates Spring Security Filter Chain automatically.

MySecurityAppConfig.java

package com.gfg.config;

import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;

// This class will help to create
// spring security filter chain
@EnableWebSecurity
public class MySecurityAppConfig {

}

Step 10: Register Spring Security Filter Chain

Create the SecurityInitializer.java class.

• Registers Spring Security filters with the application.
• Enables security for all incoming requests.

SecurityInitializer.java

package com.gfg.config;

import org.springframework.security.web.context.AbstractSecurityWebApplicationInitializer;

// This class will help to register spring security
// filter chain with our application
public class SecurityInitializer extends AbstractSecurityWebApplicationInitializer {

}

Step 11: Run Your Spring MVC Application

To run our Spring MVC Application right-click on your project > Run As > Run on Server.

 URL to run : http://localhost:8080/springsecurity/hello-gfg

When you access the URL, Spring Security automatically redirects the request to the default login page

http://localhost:8080/springsecurity/login

And the output is something like this.

So you have successfully created your Filter Chain with the help of Spring Security.