{"id":15228,"date":"2019-10-09T16:26:32","date_gmt":"2019-10-09T09:26:32","guid":{"rendered":"https:\/\/huongdanjava.com\/?p=15228"},"modified":"2021-09-27T06:25:07","modified_gmt":"2021-09-26T23:25:07","slug":"overview-about-request-processing-in-spring-security","status":"publish","type":"post","link":"https:\/\/huongdanjava.com\/overview-about-request-processing-in-spring-security.html","title":{"rendered":"Overview about request processing in Spring Security"},"content":{"rendered":"

To be able to make authentication and authorization for the requests to the web application, Spring Security must act as an interceptor of these applications. It will intercept and process the requests before those requests are actually processed by the application and return results. In this tutorial, we will find out that before processing the request by application, what does Spring Security do!<\/p>\n

First, for you to easily imagine, I will create a new Spring MVC application<\/a> that supports Spring Security as an example:<\/p>\n

\"Overview<\/p>\n

with Spring Security dependencies as follows:<\/p>\n

<dependency>\r\n    <groupId>org.springframework.security<\/groupId>\r\n    <artifactId>spring-security-web<\/artifactId>\r\n    <version>${org.springframework.security-version}<\/version>\r\n<\/dependency>\r\n\r\n<dependency>\r\n    <groupId>org.springframework.security<\/groupId>\r\n    <artifactId>spring-security-config<\/artifactId>\r\n    <version>${org.springframework.security-version}<\/version>\r\n<\/dependency><\/pre>\n
<properties>\r\n    ...\r\n    <org.springframework.security-version>5.2.0.RELEASE<\/org.springframework.security-version>\r\n<\/properties><\/pre>\n
The security.xml file has the following content:<\/p>\n
<beans:beans xmlns=\"http:\/\/www.springframework.org\/schema\/security\"\r\n\txmlns:beans=\"http:\/\/www.springframework.org\/schema\/beans\"\r\n\txmlns:xsi=\"http:\/\/www.w3.org\/2001\/XMLSchema-instance\"\r\n\txsi:schemaLocation=\"http:\/\/www.springframework.org\/schema\/beans https:\/\/www.springframework.org\/schema\/beans\/spring-beans.xsd\r\nhttp:\/\/www.springframework.org\/schema\/security https:\/\/www.springframework.org\/schema\/security\/spring-security.xsd\">\r\n\r\n\t<http auto-config=\"true\">\r\n\t\t<intercept-url pattern=\"\/\" access=\"hasRole('ROLE_USER')\"\/>\r\n\t<\/http>\r\n\r\n\t<user-service>\r\n\t\t<user name=\"khanh\" password=\"{noop}123456\" authorities=\"ROLE_USER\" \/>\r\n\t<\/user-service>\r\n<\/beans:beans><\/pre>\n
This security file defines the user “khanh” with the role ROLE_USER to have access to the application with the context path “\/”.<\/p>\n
Of course, you must also configure the web.xml file to add the Spring Security configuration file.<\/p>\n
<?xml version=\"1.0\" encoding=\"UTF-8\"?>\r\n<web-app version=\"2.5\" xmlns=\"http:\/\/java.sun.com\/xml\/ns\/javaee\"\r\n\txmlns:xsi=\"http:\/\/www.w3.org\/2001\/XMLSchema-instance\"\r\n\txsi:schemaLocation=\"http:\/\/java.sun.com\/xml\/ns\/javaee https:\/\/java.sun.com\/xml\/ns\/javaee\/web-app_2_5.xsd\">\r\n\r\n\t<!-- The definition of the Root Spring Container shared by all Servlets \r\n\t\tand Filters -->\r\n\t<context-param>\r\n\t\t<param-name>contextConfigLocation<\/param-name>\r\n\t\t<param-value>\/WEB-INF\/spring\/root-context.xml<\/param-value>\r\n\t<\/context-param>\r\n\r\n\t<!-- Creates the Spring Container shared by all Servlets and Filters -->\r\n\t<listener>\r\n\t\t<listener-class>org.springframework.web.context.ContextLoaderListener<\/listener-class>\r\n\t<\/listener>\r\n\r\n\t<!-- Processes application requests -->\r\n\t<servlet>\r\n\t\t<servlet-name>appServlet<\/servlet-name>\r\n\t\t<servlet-class>org.springframework.web.servlet.DispatcherServlet<\/servlet-class>\r\n\t\t<init-param>\r\n\t\t\t<param-name>contextConfigLocation<\/param-name>\r\n\t\t\t<param-value>\/WEB-INF\/spring\/appServlet\/servlet-context.xml<\/param-value>\r\n\t\t<\/init-param>\r\n\t\t<load-on-startup>1<\/load-on-startup>\r\n\t<\/servlet>\r\n\r\n\t<!-- Spring Security Filter -->\r\n\t<filter>\r\n\t\t<filter-name>springSecurityFilterChain<\/filter-name>\r\n\t\t<filter-class>org.springframework.web.filter.DelegatingFilterProxy<\/filter-class>\r\n\t<\/filter>\r\n\r\n\t<filter-mapping>\r\n\t\t<filter-name>springSecurityFilterChain<\/filter-name>\r\n\t\t<url-pattern>\/*<\/url-pattern>\r\n\t<\/filter-mapping>\r\n\r\n\t<!-- Loads Spring Security Configuration File -->\r\n\t<context-param>\r\n\t\t<param-name>contextConfigLocation<\/param-name>\r\n\t\t<param-value>\/WEB-INF\/spring\/security.xml<\/param-value>\r\n\t<\/context-param>\r\n\r\n\t<servlet-mapping>\r\n\t\t<servlet-name>appServlet<\/servlet-name>\r\n\t\t<url-pattern>\/<\/url-pattern>\r\n\t<\/servlet-mapping>\r\n\r\n<\/web-app>\r\n<\/pre>\n
The first thing I want to say about the request handling process in Spring Security is that we have to talk about the DelegatingFilterProxy class declared in the web.xml file of the application. This is the Java Servlet’s javax.servlet.Filter interface, which acts as an interceptor, filtering all requests to Java web applications. This class is implemented to be managed by the Spring container.<\/p>\n
If you have worked with the Java Servlet Filter, you will know that the doFilter() method in this javax.servlet.Filter interface will help us to add code to handle the interceptor, the DelegatingFilterProxy class also uses the doFilter() method to do this.<\/p>\n
If you look at the code of the DelegatingFilterProxy class, you will see, actually in the doFilter() method of the DelegatingFilterProxy class, it does nothing. It only delegates filtering through another class, org.springframework.security.web.FilterChainProxy. The FilterChainProxy class also implements the javax.servlet.Filter interface with the doFilter() method. Specifically, what does the FilterChainProxy class do in doFilter() method, similar to the tutorial in Overview about request processing in Spring MVC<\/a>, I will also modify the application project’s log4j.xml file to log out all the information that Spring Security performs when it authenticates and authorizes!<\/p>\n
I will change the level of the loggers for the Spring framework from info to debug in the “3rdparty Loggers” section and root logger the priority from warn to debug. I also declared a logger for the org.springframework.security package of Spring Security.<\/p>\n
At this time, the content of log4j.xml file will be as follows:<\/p>\n
<?xml version=\"1.0\" encoding=\"UTF-8\"?>\r\n<!DOCTYPE log4j:configuration PUBLIC \"-\/\/APACHE\/\/DTD LOG4J 1.2\/\/EN\" \"log4j.dtd\">\r\n<log4j:configuration xmlns:log4j=\"http:\/\/jakarta.apache.org\/log4j\/\">\r\n\r\n\t<!-- Appenders -->\r\n\t<appender name=\"console\" class=\"org.apache.log4j.ConsoleAppender\">\r\n\t\t<param name=\"Target\" value=\"System.out\" \/>\r\n\t\t<layout class=\"org.apache.log4j.PatternLayout\">\r\n\t\t\t<param name=\"ConversionPattern\" value=\"%-5p: %c - %m%n\" \/>\r\n\t\t<\/layout>\r\n\t<\/appender>\r\n\t\r\n\t<!-- Application Loggers -->\r\n\t<logger name=\"com.huongdanjava.springsecurityworkflow\">\r\n\t\t<level value=\"info\" \/>\r\n\t<\/logger>\r\n\t\r\n\t<!-- 3rdparty Loggers -->\r\n\t<logger name=\"org.springframework.core\">\r\n\t\t<level value=\"debug\" \/>\r\n\t<\/logger>\r\n\t\r\n\t<logger name=\"org.springframework.beans\">\r\n\t\t<level value=\"debug\" \/>\r\n\t<\/logger>\r\n\t\r\n\t<logger name=\"org.springframework.context\">\r\n\t\t<level value=\"debug\" \/>\r\n\t<\/logger>\r\n\r\n\t<logger name=\"org.springframework.web\">\r\n\t\t<level value=\"debug\" \/>\r\n\t<\/logger>\r\n\t\r\n\t<logger name=\"org.springframework.security\">\r\n\t\t<level value=\"debug\" \/>\r\n\t<\/logger>\r\n\r\n\t<!-- Root Logger -->\r\n\t<root>\r\n\t\t<priority value=\"debug\" \/>\r\n\t\t<appender-ref ref=\"console\" \/>\r\n\t<\/root>\r\n\t\r\n<\/log4j:configuration>\r\n<\/pre>\n
Now, if you run the application and request to http:\/\/localhost:8080, check the console, you will see the following log lines:<\/p>\n
DEBUG: org.springframework.security.web.FilterChainProxy - \/ at position 1 of 15 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'\r\nDEBUG: org.springframework.security.web.context.HttpSessionSecurityContextRepository - No HttpSession currently exists\r\nDEBUG: org.springframework.security.web.context.HttpSessionSecurityContextRepository - No SecurityContext was available from the HttpSession: null. A new one will be created.\r\nDEBUG: org.springframework.security.web.FilterChainProxy - \/ at position 2 of 15 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'\r\nDEBUG: org.springframework.security.web.FilterChainProxy - \/ at position 3 of 15 in additional filter chain; firing Filter: 'HeaderWriterFilter'\r\nDEBUG: org.springframework.security.web.FilterChainProxy - \/ at position 4 of 15 in additional filter chain; firing Filter: 'CsrfFilter'\r\nDEBUG: org.springframework.security.web.FilterChainProxy - \/ at position 5 of 15 in additional filter chain; firing Filter: 'LogoutFilter'\r\nDEBUG: org.springframework.security.web.util.matcher.AntPathRequestMatcher - Request 'GET \/' doesn't match 'POST \/logout'\r\nDEBUG: org.springframework.security.web.FilterChainProxy - \/ at position 6 of 15 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'\r\nDEBUG: org.springframework.security.web.util.matcher.AntPathRequestMatcher - Request 'GET \/' doesn't match 'POST \/login'\r\nDEBUG: org.springframework.security.web.FilterChainProxy - \/ at position 7 of 15 in additional filter chain; firing Filter: 'DefaultLoginPageGeneratingFilter'\r\nDEBUG: org.springframework.security.web.FilterChainProxy - \/ at position 8 of 15 in additional filter chain; firing Filter: 'DefaultLogoutPageGeneratingFilter'\r\nDEBUG: org.springframework.security.web.util.matcher.AntPathRequestMatcher - Checking match of request : '\/'; against '\/logout'\r\nDEBUG: org.springframework.security.web.FilterChainProxy - \/ at position 9 of 15 in additional filter chain; firing Filter: 'BasicAuthenticationFilter'\r\nDEBUG: org.springframework.security.web.FilterChainProxy - \/ at position 10 of 15 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'\r\nDEBUG: org.springframework.security.web.savedrequest.HttpSessionRequestCache - saved request doesn't match\r\nDEBUG: org.springframework.security.web.FilterChainProxy - \/ at position 11 of 15 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'\r\nDEBUG: org.springframework.security.web.FilterChainProxy - \/ at position 12 of 15 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'\r\nDEBUG: org.springframework.security.web.authentication.AnonymousAuthenticationFilter - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@9ec262f5: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS'\r\nDEBUG: org.springframework.security.web.FilterChainProxy - \/ at position 13 of 15 in additional filter chain; firing Filter: 'SessionManagementFilter'\r\nDEBUG: org.springframework.security.web.FilterChainProxy - \/ at position 14 of 15 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'\r\nDEBUG: org.springframework.security.web.FilterChainProxy - \/ at position 15 of 15 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'\r\nDEBUG: org.springframework.security.web.access.intercept.FilterSecurityInterceptor - Secure object: FilterInvocation: URL: \/; Attributes: [authenticated]\r\nDEBUG: org.springframework.security.web.access.intercept.FilterSecurityInterceptor - Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@9ec262f5: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS\r\nDEBUG: org.springframework.security.access.vote.AffirmativeBased - Voter: org.springframework.security.web.access.expression.WebExpressionVoter@26633508, returned: -1\r\nDEBUG: org.springframework.security.web.access.ExceptionTranslationFilter - Access is denied (user is anonymous); redirecting to authentication entry point\r\norg.springframework.security.access.AccessDeniedException: Access is denied\r\n\tat org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:84)\r\n\tat org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:233)\r\n\tat org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:124)\r\n\tat org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:91)\r\n\tat org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)\r\n\tat org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:119)\r\n\tat org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)\r\n\tat org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:137)\r\n\tat org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)\r\n\tat org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:111)\r\n\tat org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)\r\n\tat org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:170)\r\n\tat org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)\r\n\tat org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:63)\r\n\tat org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)\r\n\tat org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilterInternal(BasicAuthenticationFilter.java:158)\r\n\tat org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:118)\r\n\tat org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)\r\n\tat org.springframework.security.web.authentication.ui.DefaultLogoutPageGeneratingFilter.doFilterInternal(DefaultLogoutPageGeneratingFilter.java:52)\r\n\tat org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:118)\r\n\tat org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)\r\n\tat org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter.doFilter(DefaultLoginPageGeneratingFilter.java:206)\r\n\tat org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)\r\n\tat org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:200)\r\n\tat org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)\r\n\tat org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:116)\r\n\tat org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)\r\n\tat org.springframework.security.web.csrf.CsrfFilter.doFilterInternal(CsrfFilter.java:100)\r\n\tat org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:118)\r\n\tat org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)\r\n\tat org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:74)\r\n\tat org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:118)\r\n\tat org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)\r\n\tat org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:56)\r\n\tat org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:118)\r\n\tat org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)\r\n\tat org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105)\r\n\tat org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)\r\n\tat org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:215)\r\n\tat org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:178)\r\n\tat org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:357)\r\n\tat org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:270)\r\n\tat org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1583)\r\n\tat org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:542)\r\n\tat org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)\r\n\tat org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:536)\r\n\tat org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)\r\n\tat org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:235)\r\n\tat org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1581)\r\n\tat org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:233)\r\n\tat org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1307)\r\n\tat org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:188)\r\n\tat org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:482)\r\n\tat org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1549)\r\n\tat org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:186)\r\n\tat org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1204)\r\n\tat org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)\r\n\tat org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:221)\r\n\tat org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:146)\r\n\tat org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)\r\n\tat org.eclipse.jetty.server.Server.handle(Server.java:494)\r\n\tat org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:374)\r\n\tat org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:268)\r\n\tat org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311)\r\n\tat org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103)\r\n\tat org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:117)\r\n\tat org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:782)\r\n\tat org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:918)\r\n\tat java.base\/java.lang.Thread.run(Thread.java:835)\r\nDEBUG: org.springframework.security.web.util.matcher.AntPathRequestMatcher - Request '\/' matched by universal pattern '\/**'\r\nDEBUG: org.springframework.security.web.savedrequest.HttpSessionRequestCache - DefaultSavedRequest added to Session: DefaultSavedRequest[http:\/\/localhost:8080\/]\r\nDEBUG: org.springframework.security.web.access.ExceptionTranslationFilter - Calling Authentication entry point.\r\nDEBUG: org.springframework.security.web.DefaultRedirectStrategy - Redirecting to 'http:\/\/localhost:8080\/login'\r\nDEBUG: org.springframework.security.web.header.writers.HstsHeaderWriter - Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@4d606c29\r\nDEBUG: org.springframework.security.web.context.HttpSessionSecurityContextRepository - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.\r\nDEBUG: org.springframework.security.web.context.SecurityContextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed\r\nDEBUG: org.springframework.security.web.FilterChainProxy - \/login at position 1 of 15 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'\r\nDEBUG: org.springframework.security.web.context.HttpSessionSecurityContextRepository - HttpSession returned null object for SPRING_SECURITY_CONTEXT\r\nDEBUG: org.springframework.security.web.context.HttpSessionSecurityContextRepository - No SecurityContext was available from the HttpSession: Session@739e3a15{id=node0btk0fs8h0vtwssmqykcwsbl40,x=node0btk0fs8h0vtwssmqykcwsbl40.node0,req=1,res=true}. A new one will be created.\r\nDEBUG: org.springframework.security.web.FilterChainProxy - \/login at position 2 of 15 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'\r\nDEBUG: org.springframework.security.web.FilterChainProxy - \/login at position 3 of 15 in additional filter chain; firing Filter: 'HeaderWriterFilter'\r\nDEBUG: org.springframework.security.web.FilterChainProxy - \/login at position 4 of 15 in additional filter chain; firing Filter: 'CsrfFilter'\r\nDEBUG: org.springframework.security.web.FilterChainProxy - \/login at position 5 of 15 in additional filter chain; firing Filter: 'LogoutFilter'\r\nDEBUG: org.springframework.security.web.util.matcher.AntPathRequestMatcher - Request 'GET \/login' doesn't match 'POST \/logout'\r\nDEBUG: org.springframework.security.web.FilterChainProxy - \/login at position 6 of 15 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'\r\nDEBUG: org.springframework.security.web.util.matcher.AntPathRequestMatcher - Request 'GET \/login' doesn't match 'POST \/login'\r\nDEBUG: org.springframework.security.web.FilterChainProxy - \/login at position 7 of 15 in additional filter chain; firing Filter: 'DefaultLoginPageGeneratingFilter'\r\nDEBUG: org.springframework.security.web.header.writers.HstsHeaderWriter - Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@4d606c29\r\nDEBUG: org.springframework.security.web.context.HttpSessionSecurityContextRepository - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.\r\nDEBUG: org.springframework.security.web.context.SecurityContextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed\r\nDEBUG: org.springframework.security.web.FilterChainProxy - \/favicon.ico at position 1 of 15 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'\r\nDEBUG: org.springframework.security.web.context.HttpSessionSecurityContextRepository - HttpSession returned null object for SPRING_SECURITY_CONTEXT\r\nDEBUG: org.springframework.security.web.context.HttpSessionSecurityContextRepository - No SecurityContext was available from the HttpSession: Session@739e3a15{id=node0btk0fs8h0vtwssmqykcwsbl40,x=node0btk0fs8h0vtwssmqykcwsbl40.node0,req=1,res=true}. A new one will be created.\r\nDEBUG: org.springframework.security.web.FilterChainProxy - \/favicon.ico at position 2 of 15 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'\r\nDEBUG: org.springframework.security.web.FilterChainProxy - \/favicon.ico at position 3 of 15 in additional filter chain; firing Filter: 'HeaderWriterFilter'\r\nDEBUG: org.springframework.security.web.FilterChainProxy - \/favicon.ico at position 4 of 15 in additional filter chain; firing Filter: 'CsrfFilter'\r\nDEBUG: org.springframework.security.web.FilterChainProxy - \/favicon.ico at position 5 of 15 in additional filter chain; firing Filter: 'LogoutFilter'\r\nDEBUG: org.springframework.security.web.util.matcher.AntPathRequestMatcher - Request 'GET \/favicon.ico' doesn't match 'POST \/logout'\r\nDEBUG: org.springframework.security.web.FilterChainProxy - \/favicon.ico at position 6 of 15 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'\r\nDEBUG: org.springframework.security.web.util.matcher.AntPathRequestMatcher - Request 'GET \/favicon.ico' doesn't match 'POST \/login'\r\nDEBUG: org.springframework.security.web.FilterChainProxy - \/favicon.ico at position 7 of 15 in additional filter chain; firing Filter: 'DefaultLoginPageGeneratingFilter'\r\nDEBUG: org.springframework.security.web.FilterChainProxy - \/favicon.ico at position 8 of 15 in additional filter chain; firing Filter: 'DefaultLogoutPageGeneratingFilter'\r\nDEBUG: org.springframework.security.web.util.matcher.AntPathRequestMatcher - Checking match of request : '\/favicon.ico'; against '\/logout'\r\nDEBUG: org.springframework.security.web.FilterChainProxy - \/favicon.ico at position 9 of 15 in additional filter chain; firing Filter: 'BasicAuthenticationFilter'\r\nDEBUG: org.springframework.security.web.FilterChainProxy - \/favicon.ico at position 10 of 15 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'\r\nDEBUG: org.springframework.security.web.savedrequest.DefaultSavedRequest - pathInfo: both null (property equals)\r\nDEBUG: org.springframework.security.web.savedrequest.DefaultSavedRequest - queryString: both null (property equals)\r\nDEBUG: org.springframework.security.web.savedrequest.DefaultSavedRequest - requestURI: arg1=\/; arg2=\/favicon.ico (property not equals)\r\nDEBUG: org.springframework.security.web.savedrequest.HttpSessionRequestCache - saved request doesn't match\r\nDEBUG: org.springframework.security.web.FilterChainProxy - \/favicon.ico at position 11 of 15 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'\r\nDEBUG: org.springframework.security.web.FilterChainProxy - \/favicon.ico at position 12 of 15 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'\r\nDEBUG: org.springframework.security.web.authentication.AnonymousAuthenticationFilter - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@a9fd396d: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@ffff4c9c: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: node0btk0fs8h0vtwssmqykcwsbl40; Granted Authorities: ROLE_ANONYMOUS'\r\nDEBUG: org.springframework.security.web.FilterChainProxy - \/favicon.ico at position 13 of 15 in additional filter chain; firing Filter: 'SessionManagementFilter'\r\nDEBUG: org.springframework.security.web.FilterChainProxy - \/favicon.ico at position 14 of 15 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'\r\nDEBUG: org.springframework.security.web.FilterChainProxy - \/favicon.ico at position 15 of 15 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'\r\nDEBUG: org.springframework.security.web.access.intercept.FilterSecurityInterceptor - Secure object: FilterInvocation: URL: \/favicon.ico; Attributes: [authenticated]\r\nDEBUG: org.springframework.security.web.access.intercept.FilterSecurityInterceptor - Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@a9fd396d: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@ffff4c9c: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: node0btk0fs8h0vtwssmqykcwsbl40; Granted Authorities: ROLE_ANONYMOUS\r\nDEBUG: org.springframework.security.access.vote.AffirmativeBased - Voter: org.springframework.security.web.access.expression.WebExpressionVoter@26633508, returned: -1\r\nDEBUG: org.springframework.security.web.access.ExceptionTranslationFilter - Access is denied (user is anonymous); redirecting to authentication entry point\r\norg.springframework.security.access.AccessDeniedException: Access is denied\r\n\tat org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:84)\r\n\tat org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:233)\r\n\tat org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:124)\r\n\tat org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:91)\r\n\tat org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)\r\n\tat org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:119)\r\n\tat org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)\r\n\tat org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:137)\r\n\tat org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)\r\n\tat org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:111)\r\n\tat org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)\r\n\tat org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:170)\r\n\tat org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)\r\n\tat org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:63)\r\n\tat org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)\r\n\tat org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilterInternal(BasicAuthenticationFilter.java:158)\r\n\tat org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:118)\r\n\tat org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)\r\n\tat org.springframework.security.web.authentication.ui.DefaultLogoutPageGeneratingFilter.doFilterInternal(DefaultLogoutPageGeneratingFilter.java:52)\r\n\tat org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:118)\r\n\tat org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)\r\n\tat org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter.doFilter(DefaultLoginPageGeneratingFilter.java:206)\r\n\tat org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)\r\n\tat org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:200)\r\n\tat org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)\r\n\tat org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:116)\r\n\tat org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)\r\n\tat org.springframework.security.web.csrf.CsrfFilter.doFilterInternal(CsrfFilter.java:100)\r\n\tat org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:118)\r\n\tat org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)\r\n\tat org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:74)\r\n\tat org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:118)\r\n\tat org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)\r\n\tat org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:56)\r\n\tat org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:118)\r\n\tat org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)\r\n\tat org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105)\r\n\tat org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)\r\n\tat org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:215)\r\n\tat org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:178)\r\n\tat org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:357)\r\n\tat org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:270)\r\n\tat org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1583)\r\n\tat org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:542)\r\n\tat org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)\r\n\tat org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:536)\r\n\tat org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)\r\n\tat org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:235)\r\n\tat org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1581)\r\n\tat org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:233)\r\n\tat org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1307)\r\n\tat org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:188)\r\n\tat org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:482)\r\n\tat org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1549)\r\n\tat org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:186)\r\n\tat org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1204)\r\n\tat org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)\r\n\tat org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:221)\r\n\tat org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:146)\r\n\tat org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)\r\n\tat org.eclipse.jetty.server.Server.handle(Server.java:494)\r\n\tat org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:374)\r\n\tat org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:268)\r\n\tat org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311)\r\n\tat org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103)\r\n\tat org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:117)\r\n\tat org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:336)\r\n\tat org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:313)\r\n\tat org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:171)\r\n\tat org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.produce(EatWhatYouKill.java:135)\r\n\tat org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:782)\r\n\tat org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:918)\r\n\tat java.base\/java.lang.Thread.run(Thread.java:835)\r\nDEBUG: org.springframework.security.web.util.matcher.AntPathRequestMatcher - Request '\/favicon.ico' matched by universal pattern '\/**'\r\nDEBUG: org.springframework.security.web.savedrequest.HttpSessionRequestCache - DefaultSavedRequest added to Session: DefaultSavedRequest[http:\/\/localhost:8080\/favicon.ico]\r\nDEBUG: org.springframework.security.web.access.ExceptionTranslationFilter - Calling Authentication entry point.\r\nDEBUG: org.springframework.security.web.DefaultRedirectStrategy - Redirecting to 'http:\/\/localhost:8080\/login'\r\nDEBUG: org.springframework.security.web.header.writers.HstsHeaderWriter - Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@4d606c29\r\nDEBUG: org.springframework.security.web.context.HttpSessionSecurityContextRepository - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.\r\nDEBUG: org.springframework.security.web.context.SecurityContextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed\r\nDEBUG: org.springframework.security.web.FilterChainProxy - \/login at position 1 of 15 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'\r\nDEBUG: org.springframework.security.web.context.HttpSessionSecurityContextRepository - HttpSession returned null object for SPRING_SECURITY_CONTEXT\r\nDEBUG: org.springframework.security.web.context.HttpSessionSecurityContextRepository - No SecurityContext was available from the HttpSession: Session@739e3a15{id=node0btk0fs8h0vtwssmqykcwsbl40,x=node0btk0fs8h0vtwssmqykcwsbl40.node0,req=1,res=true}. A new one will be created.\r\nDEBUG: org.springframework.security.web.FilterChainProxy - \/login at position 2 of 15 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'\r\nDEBUG: org.springframework.security.web.FilterChainProxy - \/login at position 3 of 15 in additional filter chain; firing Filter: 'HeaderWriterFilter'\r\nDEBUG: org.springframework.security.web.FilterChainProxy - \/login at position 4 of 15 in additional filter chain; firing Filter: 'CsrfFilter'\r\nDEBUG: org.springframework.security.web.FilterChainProxy - \/login at position 5 of 15 in additional filter chain; firing Filter: 'LogoutFilter'\r\nDEBUG: org.springframework.security.web.util.matcher.AntPathRequestMatcher - Request 'GET \/login' doesn't match 'POST \/logout'\r\nDEBUG: org.springframework.security.web.FilterChainProxy - \/login at position 6 of 15 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'\r\nDEBUG: org.springframework.security.web.util.matcher.AntPathRequestMatcher - Request 'GET \/login' doesn't match 'POST \/login'\r\nDEBUG: org.springframework.security.web.FilterChainProxy - \/login at position 7 of 15 in additional filter chain; firing Filter: 'DefaultLoginPageGeneratingFilter'\r\nDEBUG: org.springframework.security.web.header.writers.HstsHeaderWriter - Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@4d606c29\r\nDEBUG: org.springframework.security.web.context.HttpSessionSecurityContextRepository - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.\r\nDEBUG: org.springframework.security.web.context.SecurityContextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed\r\n<\/pre>\n
Looking at the above loglines, you can see, with our config in the security.xml file, when calling the request to the home page of the application, there are 15 Filter classes called by the FilterChainProxy class to Spring Security that can carry out its responsibilities. Each filter has its own function and task, and if you look at the code of the UsernamePasswordAuthenticationFilter class and the BasicAuthenticationFilter class, you will see that these two classes will take care of the authentication handling in Spring Security. UsernamePasswordAuthenticationFilter will take care of authentication when the user calls the POST request “\/login” and BasicAuthenticationFilter will take care of authentication with user and password information passed on the request header. Both of these filters call the authenticate() method of the AuthenticationManager interface to perform authentication.<\/p>\n
In addition to the AuthenticationManager interface, the common implementation of this interface is the ProviderManager class. The ProviderManager class will call a list of AuthenticationProvider which we declared in Spring Security’s configuration file, security.xml:<\/p>\n
\"Overview<\/p>\n
to check the support of these AuthenticationProvider and perform authentication.<\/p>\n
\"Overview<\/p>\n
By default, the DaoAuthenticationProvider class will take care of authentication. It will use the UserDetailsService class to get the user information that we declared in the security.xml configuration file to do this.<\/p>\n
Details of the authentication, you can read more code! I can overview the authentication in Spring Security as follows:<\/p>\n
\"Overview
\n