Security filters
Spring Security MVC is based on Server Filters.
DelegatingFilterProxy – Filter implementation that allows bridging between servlet container lifecycle and ApplicationContext. This filter follows standard servlets containers mechanisms but delegates all work to a spring bean that implements filter.
FilterChainProxy – special filter, provided by Spring Security that allows delegating to many filter instances through SecurityFilterChain.
SecurityFilterChain – determines which filter instances should be invoked for the current request. SecurityFilters are inserted into FilterChainProxy with SecurityFilterChain.
AbstractAuthenticationProcessingFilter
AbstractAuthenticationProcessingFilter is used as a base Filter for authenticating a user’s credentials (authorizeHttpRequests).
Common security filters: CsrfFilter, UsernamePasswordAuthenticationFilter, BasicAuthenticationFilter, AuthorizationFilter.
AuthorizationFilter
An authorization filter that restricts access to the URL using AuthorizationManager.
UsernamePasswordAuthenticationFilter
When user submits username and password this filter creates a UsernamePasswordAuthenticationToken and this is passed to an AutenticationManager instance to be authenticated.
Others
BasicAuthenticationFilter – processes HTTP request basic authorization headers, setting the result into SecurityContextHolder also processes Authorization header.
GenericFilterBean – simple base implementation of filter abstract class.
OncePerRequestFilter – Filter base class that aims to guarantee a single execution per request dispatch, on any servlet container.
- doFilterInternal()
- shouldNotFilter()