/ Java Zone
Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

What Does Spring DelegatingFilterProxy Do?

DZone's Guide to

What Does Spring DelegatingFilterProxy Do?

You might see Spring's DelegatingFilterProxy crop up sometimes. It's actually a proxy for a standard Servlet Filter. Let's see an example in action with Spring Security.

by
Martin Farrell
·
May. 30, 17 · Java Zone
Free Resource

Comment (0)

Save
Tweet
{{ articles[0].views | formatCount}} Views

Bitbucket is for the code that takes us to Mars, decodes the human genome, or drives your next car. What will your code do? Get started with Bitbucket today, it's free.

I had never given much thought to how Spring Security integrates with web.xml until I had to diagnose an issue involving the DelegatingFilterProxy and my Spring Security configuration.

I knew the starting point is the springSecurityFilterChain which uses the DelegatingFilterProxy, and this would instantiate the Spring Security filters according to my Spring configuration:

    <filter>
        <filter-name>springSecurityFilterChain</filter-name>
        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    </filter>
    <filter-mapping>
        <filter-name>springSecurityFilterChain</filter-name>
    </filter-mapping>

 

But what next?

DelegatingFilterProxy

A look at the Javadoc for DelegatingFilterProxy states that:

Proxy for a standard Servlet Filter, delegating to a Spring-managed bean that implements the Filter interface

It further states that the filter-name corresponds to a bean in the Spring application context.

So in terms of Spring Security, the DelegatingFilterProxy will look through the Spring Application Context for a bean “springSecurityFilterChain”. The only requirement for Delegated beans is that they must implement javax.servlet.Filter.

Initializing the springSecurityFilterChain

The springSecurityFilterChain is initialised in your spring configuration by, which will be passed to your DispatcherServlet:

<http ...> </http>

 

We can see this in action when we include code to add remove filters in Spring Security:

<http ...>
    ...        
    <custom-filter ref="mySecurityFilter" after="FORM_LOGIN_FILTER"  />
    ...
</http>

You can also see a list of filters created when you up spring security logging

What About Spring Boot?

Spring Security configuration for Spring Boot is simply a matter of adding a reference to “spring-boot-starter-security” to Gradle or Maven. We can then fine tune the security configurations through @EnableWebSecurity and overriding the configure method of a class extending WebSecurityConfigurerAdapter.

If we dig around under the hood we find that the DelegatingFilterProxy is still used. With the “springSecurityFilterChain” instantiated in SecurityFilterAutoConfiguration, which populates the DelegatingFilterProxyRegistrationBean with “springSecurityFilterChain” (AbstractSecurityWebApplicationInitializer.DEFAULT_FILTER_NAME):

@Bean
@ConditionalOnBean(name = DEFAULT_FILTER_NAME)
public DelegatingFilterProxyRegistrationBean securityFilterChainRegistration(SecurityProperties securityProperties) {
    DelegatingFilterProxyRegistrationBean registration = new DelegatingFilterProxyRegistrationBean(DEFAULT_FILTER_NAME);
    registration.setOrder(securityProperties.getFilterOrder());
    registration.setDispatcherTypes(getDispatcherTypes(securityProperties));
    return registration;
}


Bitbucket is the Git solution for professional teams who code with a purpose, not just as a hobby. Get started today, it's free.

Like This Article? Read More From DZone

Using JMS in Spring Boot
A Look at Spring Boot Admin
Spring Boot Entity Scanning

Free DZone Refcard

Contexts and Dependency Injection for the Java EE Platform
DOWNLOAD
Topics:
java ,spring secruity ,DelegatingFilterProxy ,spring boot ,tutorial

Comment (0)

Save
Tweet
{{ articles[0].views | formatCount}} Views

Published at DZone with permission of Martin Farrell, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

Java Partner Resources

Improve Code Quality with this Tutorial
The single app analytics solutions to take your web and mobile apps to the next level. Try today!
Download our Git cheat sheet
Building Reactive Microservices in Java: Asynchronous and Event-Based Application Design
The Importance of Monitoring Containers
A Practical Guide to Learning Git
Market Guide for Application Platforms
Developing Reactive Microservices: Enterprise Implementation in Java
CA App Experience Analytics, a whole new level of visibility. Learn more.
Download a Complimentary O’Reilly eBook on Cloud-Native Application Architectures
Monorepos in Git
Jenkins, Docker and DevOps: The Innovation Catalysts

Java Partner Resources

Improve Code Quality with this Tutorial
The single app analytics solutions to take your web and mobile apps to the next level. Try today!
Download our Git cheat sheet
Building Reactive Microservices in Java: Asynchronous and Event-Based Application Design
THE DZONE NEWSLETTER

Dev Resources & Solutions Straight to Your Inbox

Thanks for subscribing!

Awesome! Check your inbox to verify your email so you can start receiving the latest in tech news and resources.

X

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.linkDescription }}

{{ parent.urlSource.name }}
by {{ parent.authors[0].realName || parent.author}}
· {{ parent.articleDate | date:'MMM. dd, yyyy' }} {{ parent.linkDate | date:'MMM. dd, yyyy' }}
· {{ parent.portal.name }} Zone