BestHub
Sign in
Information Security 7 min read

Understanding Spring Security Integration with Servlet Applications

This article explains how Spring Security integrates with Servlet‑based Java web applications by detailing the servlet filter chain, DelegatingFilterProxy, FilterChainProxy, SecurityFilterChain, and providing code examples to help readers grasp authentication and authorization mechanisms.

Architecture Digest
Architecture Digest
Architecture Digest
Understanding Spring Security Integration with Servlet Applications

Spring Security is a powerful authentication and authorization framework for Java web applications. The author records personal learning notes on integrating Spring Security with Servlet‑based applications, aiming to help readers avoid forgetting key concepts.

Spring Security in Servlet Applications

The following content is excerpted from the official documentation.

Servlet Filter Chain

The Servlet Filter Chain consists of a series of javax.servlet.Filter implementations. A client request passes through the FilterChain, allowing each matching Filter to process the request and response before reaching the servlet.

Spring Security adds a special filter to this chain to handle authentication and authorization.

DelegatingFilterProxy

Spring provides the DelegatingFilterProxy, a javax.servlet.Filter implementation that delegates its work to a Spring‑managed bean, typically Filter0, by invoking its doFilter method.

public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) {
    // Lazily get Filter that was registered as a Spring Bean
    Filter delegate = getFilterBean(someBeanName);
    // delegate work to the Spring Bean
    delegate.doFilter(request, response);
}

FilterChainProxy

The FilterChainProxy is the main entry point of Spring Security. It matches incoming requests, obtains the appropriate SecurityFilterChain, and executes its filters.

SecurityFilterChain

A SecurityFilterChain contains a list of filters that perform specific functions such as login authentication, logout handling, and setting the SecurityContext. Multiple chains can be defined to apply different security rules to different URL patterns (e.g., /app/api/** vs /web/api/**).

public interface SecurityFilterChain {
    boolean matches(HttpServletRequest request);
    List<Filter> getFilters();
}

Summary of Key Concepts

Servlet Filter Chain – the chain of servlet filters.

DelegatingFilterProxy – Spring proxy that forwards to FilterChainProxy.

FilterChainProxy – matches requests and invokes the appropriate SecurityFilterChain.

SecurityFilterChain – a collection of filters applied to matched requests.

When a client accesses /web/api/login, the request matches SecurityFilterChain 0 and the associated filters are executed.

FilterChainProxy Source Overview

public class FilterChainProxy extends GenericFilterBean {
    private List<SecurityFilterChain> filterChains;

    @Override
    public void doFilter(ServletRequest request, ServletResponse response,
                         FilterChain chain) throws IOException, ServletException {
        ...
        doFilterInternal(request, response, chain);
        ...
    }

    private void doFilterInternal(ServletRequest request, ServletResponse response,
                                 FilterChain chain) throws IOException, ServletException {
        ...
        List<Filter> filters = getFilters(fwRequest);
        ...
        VirtualFilterChain vfc = new VirtualFilterChain(fwRequest, chain, filters);
        vfc.doFilter(fwRequest, fwResponse);
    }

    private List<Filter> getFilters(HttpServletRequest request) {
        for (SecurityFilterChain chain : filterChains) {
            if (chain.matches(request)) {
                return chain.getFilters();
            }
        }
        return null;
    }

    private static class VirtualFilterChain implements FilterChain {
        @Override
        public void doFilter(ServletRequest request, ServletResponse response) throws IOException, ServletException {
            ...
        }
    }
}

The execution flow is:

FilterChainProxy.doFilter → doFilterInternal → getFilters → VirtualFilterChain.doFilter

, where each matched SecurityFilterChain provides its filter list.

Overall, the article provides a concise overview of how Spring Security hooks into the servlet filter mechanism, illustrating the architecture with diagrams and code snippets.

Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

JavaAuthenticationServletFilter Chainspring-security
Architecture Digest
Written by

Architecture Digest

Focusing on Java backend development, covering application architecture from top-tier internet companies (high availability, high performance, high stability), big data, machine learning, Java architecture, and other popular fields.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment