Spring Security Filter
From parent article
DisableEncodeUrlFilter
The DisableEncodeUrlFilter ensures that the session ids are not exposed through URLs. By preventing the alteration of URLs to include session information.
The filter pass the request to the next filter, and wraps the response in DisableEncodeUrlResponseWrapper. By overriding the encodeRedirectURL and encodeURL method that returns the url is returns as it is it ensures that the sessionid is not appended to the url.
WebAsyncManagerIntegrationFilter
The WebAsyncManagerIntegrationFilter ensures that the SecurityContext is properly propagated and accessible during asynchronous web requests in a Spring application.
SecurityContextHolderFilter
The SecurityContextHolderFilter is responsible for ensuring that the SecurityContext is properly managed throughout the lifecycle of the request and cleaned up at the end of the request. The SecurityContext holds the user’s authentication information, such as their identity, authorities.
When the incoming request reaches the SecurityContextHolderFilter it retrieves the SecurityContext from the SecurityContextRepository using the session id, or initializes one if it doesn’t exist. Then saves the SecurityContext in the SecurityContextHolder .
After the request has been processed in the controller and a response is being returned back. When the outgoing response reaches the SecurityContextHolderFilter , it stores the SecurityContext into SecurityContextRepository preserving the user’s authentication state for future request for the current session. Then it cleans up the SecurityContextHolder by removing the SecurityContext preventing sensitive information from leaking between requests or threads of different sessions.
HeaderWriterFilter
The HeaderWriterFilter in Spring security adds important security headers to HTTP responses to protect against common web vulnerabilities, such as XSS and clickjacking. It's configurable and helps enforce security policies in the browser.
CorsFilter
The CorsFilter takes care of cross-site site forgery (CSRF) protection.
CsrfFilter
The CsrfFilter takes care of cross-site request forgery (CSRF) protection
LogoutFilter
The LogoutFilter handles the logout process. It intercepts logout requests, invalidates the user's session, clears the SecurityContext, and redirects the user to a specified logout success URL or returns a response indicating a successful logout. It ensures that users are property logout and any authentication data is securely removed.
UsernamePasswordAuthenticationFilter
The UsernamePasswordAuthenticationFilter processes login requests, by intercepting HTTP requests (typically POST quest to /login) containing a username and password. The filter uses an AuthenticationManager to authenticate the username and password, then handles the success or failure of the login attempt in a Spring security application.
领英推荐
DefaultLoginPageGeneratingFilter
This filter generates and displays a default login page when a custom one is not provided. It checks if the incoming request matches specific URLs like /login, /logout, or /login?error. If the request matches /login, it generates a login page for the user. If the request does not match these URLs or if authentication has already been performed, the filter does nothing.
DefaultLogoutPageGeneratingFilter
The DefaultLogoutPageGeneratingFilter is triggered when the user access the (/logout) endpoint, it automatically generates a basic logout confirmation page when no custom logout page.
BasicAuthenticationFilter
The BasicAuthenticationFilter process HTTP basic authentication requests. The filter intercepts incoming HTTP requests with the Authorization header containing the the encoded username and password.
Authorization: Basic <Base64EncodedCredentials>
When decoded the username and password is in the form:
<username>:<password>
The filter then authenticate the decoded username and password, and store the authentication result in the security context.
RequestCacheAwareFilter
The RequestCacheAwareFilter restores a user's original request after they successfully log in, ensuring that they are redirected back to the page they initially wanted to access, enhancing the user experience.
SecurityContextHolderAwareRequestFilter
The SecurityContextHolderAwareRequestFilter wraps the HTTP request in a Spring Security-aware wrapper, providing easy access to security-related methods, such as role checking and retrieving the authenticated user’s details, throughout your application.
AnonymousAuthenticationFilter
The AnonymousAuthenticationFilter assigns an anonymous identity to unauthenticated user, allowing the application to apply consistent security rules for both authenticated and anonymous users. It enables access to public resources while still protecting sensitive ones. An example is when an unauthenticated user accesses an endpoint that has been configure as permitAll() in the security config, the user access the resource as an anonymous user.
ExceptionTranslationFilter
The ExceptionTranslationFilter captures all authentication and authorization exceptions. It catches AuthenticationException and AccessDeniedException.
AuthorizationFilter
This is the last filter in the filter chain, it is responsible for enforcing access control by determining whether an authenticated user has the necessary roles or permissions to access a particular resource. After authentication has been processed, this filter checks the user’s roles against the security configuration to decide if access should be granted. If the user is authorized, the request proceeds to the relevant resource, such as a controller; if not, the filter denies access, typically resulting in a 403 Forbidden response. Additionally, the filter handles whitelisted URLs, allowing public access to certain endpoints without requiring authentication or specific permissions.