FilterChainProxy and DelegatingFilterProxy Uses

FilterChainProxy and DelegatingFilterProxy  is a good topic to know . We will discuss this topic as most of you were asking me earlier lot of times. In Order to understand FilterChainProxy and DeligatingFilterproxy one must understand the servlet filters first .


When a request reaches the server ,it is intercepted by SpringSecurityFilterChain(ex: DelegatingFilterProxy) , then it delegates the request to Spring security framework where the security tasks defined will be handled by security filters defined in application context.

Note:( DeligatingFilterProxy provides the link between application context and web.xml. What DelegatingFilterProxy does Here ?  It is just delegating the request  to a Spring-managed bean that implements the Servlet Filter interface , that is the reason probably the name is DeligatingFilterProxy .

This enables the bean to get benefit from the Spring web application context lifecycle support and configuration flexibility. The bean must  have the same name as that in the filter-name element as below.


SpringSecurityFilterChain and FilterChainProxy :-

Now Once a Servlet request reaches the Filter , DelegatingFilterProxy gets initialized , as a part of its Initialization it looks for the filter name , in above example the filter name is springSecurityFilterChain .

This  is basically a Spring Bean , Now If you see there are no bean with name springSecurityFilterChain is present in Spring Context . So what is this springSecurityFilterChain represents . So SpringSecurityFilterChain is an alias for bean FilterChainProxy . It returns a FilterChainProxy object actually .

if You want to know how this Proxy gets called and initialized , please go through the stackoverflow link present here which explains SpringSecurityFilterChain  and FilterChainProxy in detail.

FilterChainProxy: –

FilterChainProxy lets us add a single entry to web.xml and deal entirely with the application context file for managing our web security beans. It is wired using a DelegatingFilterProxy, just like in the example above, but with the filter-name set to the bean name “filterChainProxy”.

At runtime the FilterChainProxy will locate the first URI pattern that matches the current web request and the list of filter beans specified by the filters attribute will be applied to that request. The filters will be invoked in the order they are defined, so you have complete control over the filter chain which is applied to a particular URL.

FilterChainProxy will always delegate init(FilterConfig) and destroy() methods through to the underlaying Filters if such methods are called against FilterChainProxy itself. In this case, FilterChainProxy guarantees to only initialize and destroy each Filter bean once, no matter how many times it is declared in the filter chain(s).

Spring security filters are one of the most important aspect of Authentication in any Spring based app. Understand Authentication flow in depth , then move ahead to internal concepts .

After that this filter will invoke to the next possible set of filter chains in the order. filterChainProxy consists of an ordered list of security filters that are defined in the spring application context which is alias of springSecurityFilterChain bean.

By default when we add ‹http› element  SecurityContextPersistenceFilter,ExceptionTranslationFilter and FilterSecurityInterceptor will be added, And as we have set auto-config to true, BasicAuthenticationFilter, LogoutFilter and UsernamePasswordAuthenticationFilter also gets added to the filter chain.Filter chain keeps skipping until the right filter is reached.

There are Different Filters that Works behind the Scene , once different modes of authentications are uses. Please have a look at the diagram below .

Spring Security Filters List
Spring Security Filters List

This is a basic Comparison of FilterChainProxy and DelegatingFilterProxy.

Written by – Subrat Padhi

Demystifying How Authentication Works In Spring Security