Spring Security : DelegatingFilterProxy

 

In Spring Security, a request for a protected resource, will go through a chain of spring security filters for fulfilling Authentication and Authorization requirements.

You might be little bit confused about how your web application is interacting with spring security for authentication and authorization purposes.  you might be questioning yourself about following facts.

  1. The user request directly comes to the web application. So how the spring security knows that there is a request for the web application and that should be validated/checked for authentication and authorization.

  2. How does the web application delegates the request to the spring security? who will be received the request (from spring security side)  delegated by the web application?

The answer is the DelegatingFilterProxy.  It is the entry point for the spring security. The DelegatingFilterProxy is a servlet filter and It should delegate the request to the spring managed bean that must implements the servlet Filter interface.

 

In order to configure Spring Security for your web application, you need to declare a filter called DelegatingFilterProxy in the web deployment descriptor (web.xml).

web.xml with Spring Security configuration 

<?xml version="1.0" encoding="UTF-8"?>
<web-app>
    <filter>
        <filter-name>springSecurityFilterChain</filter-name>
        <filter-class>
            org.springframework.web.filter.DelegatingFilterProxy
        </filter-class>
    </filter>

    <filter-mapping>
        <filter-name>springSecurityFilterChain</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>
</web-app> 

 

You are specifying here that requests to all URLs (/*) will go through the DelegatingFilterProxy filter. The name of this filter is important because it is the default filter name (springSecurityFilterChain) Spring Security will use to configure its filter chain.

According to the above web.xml, DeletegatingFilterProxy is declared as a servlet filter in the web application. Every request comes to the web application will be going through this filter and it will delegate the request to the spring managed “springSecurityFilterChain” bean.

 

 

What does DelegatingFilterProxy do?

DelegatingFilterProxy does not do any real work. It always look for the spring application context for a bean called “springSecurityFilterChain” and delegates the request for all the security related processing (authentication and authorization). Simply It will be received by the FilterChainProxy

<beans:bean id="springSecurityFilterChain" class="org.springframework.security.web.FilterChainProxy">

 

FilterChainProxy will be responsible for sending the request through the chain of security filters implemented in spring security (for authentication and authorization purposes)

 

The Need of DelegatingFilterProxy

The spring security has a chain of security filters and they will be managed by spring container (as spring beans). Those spring security managed security filters are not declared in the web application’s deployment descriptor(web.xml) and therefore those are unknown to the web application.  Therefore in order to make a bridge/link between web application and spring security filter chain, an additional filter called DelegatingFilterProxy is used. As described earlier, it does not do ant real work and it delegates the request to the spring managed bean called “springSecurityFilterChain” (which is an instance of FilterChainProxy)

 

Is it required to explicitly declare springSecurityFilterChain bean in the application’s spring security configuration?

No. it will be automatically declared and configured by the spring security. if you need you can explicitly declare as follows. but it is not recommended. So stick with the default configuration.

<beans:bean id="springSecurityFilterChain" class="org.springframework.security.web.FilterChainProxy">

 

How the DelegatingFilterProxy is declared in a Spring Boot application?

In Spring Boot, the most of the configurations will be auto configured and we do not have to worry about it. Therefore DelegatingFilterProxy will also be auto declared and configured. if you look at SecurityFilterAutoConfiguration class, you will find the following method which will register the filter named springSecurityFilterChain.

 

@Bean
@ConditionalOnBean(name = {"springSecurityFilterChain"})
public DelegatingFilterProxyRegistrationBean securityFilterChainRegistration(SecurityProperties securityProperties) {
    DelegatingFilterProxyRegistrationBean registration = new DelegatingFilterProxyRegistrationBean(DEFAULT_FILTER_NAME);
    registration.setOrder(securityProperties.getFilterOrder());
    registration.setDispatcherTypes(getDispatcherTypes(securityProperties));
    return registration;
}

 

I hope that this article will give you an idea of how our web application delegate the request for the spring security and how spring spring security integrates with our web application.

 

 

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s