Wednesday, July 24, 2024

What is the delegating filter proxy in Spring Security? How it works?

The Delegating filter proxy or DelegatingFilterProxy is a spring aware class which implements javax.servlet.Filter interface and used to activate Spring security in a web application. Since Filters are created and maintained by Servlet or Web Container this filter is declared in web.xml and it is configured to process request for all URLs, which means every request and response pass through this filter. In other words, DelegatingFilterProxy works as a proxy between Web Container and Spring Container. It passes all request and response to Spring Security to implement security constraints e.g. performing authentication or authorization. 

If you remember, Spring maintains a chain of filters to implement various security constraints e.g. a SessionManagementFilter, an ExceptionTranslationFilter, an AnonymousAuthenticationFilter etc. 

These filters are Spring aware, which means they are created and maintained by Spring container rather than web container. The whole concept allows all other filters to leverage facilities provided by Spring's dependency injection container. 

You also don't need to be aware of this spring security filter chain, which uses dedicated filter for implementing specific functionalities. All this complexity is hidden behind <http auto-config="true">, which if enable search for "springSecurityFilterChain" bean and configure a chain of essential filters to implement security. 

Though you can manually configure filters in a more traditional way, I won't recommend that to you because you have to initialize a lot of pre-defined filters to create spring security filter chain. Let, Spring do the hard work for do and initialize and setup the chain of filters required for implementing security constraints. 

I suggest you to look at the code for DelegatingFilterProxy to understand what it does and how it does. The two important methods are initFilterBean() which explains how DelegatingFilterProxy initializes Spring security filters and then doFilter() which shows how it delegates request processing to Spring aware filters or chain of spring security filters. 



Important points about DelegatingFilterProxy in Spring Security

Here are few key points about DelegatingFilterProxy in Spring Security which every Java developer should be aware and familiar with while working in a Spring security web application. 

1) The DelegatingFilterProxy is a spring aware Filter implementation which delegates the filtering to Spring beans which implements Filter implementation. This act as a bridge between Servlet Container and Spring Container.

2) Here is the XML snippet to declare delegating filter proxy in Spring security XML file:

<filter>
  <filter-name>springSecurityFilterChain</filter-name>
  <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
  <filter-mapping>
  <filter-name>springSecurityFilterChain</filter-name>
  <url-pattern>/*</url-pattern>
</filter-mapping>


3) The name "springSecurityFilterChain" is very important if you are using http auto-config= true because Spring looks for this bean definition in Spring application context file to forward incoming request and response to relevant filter beans in the chain. 

4) If you are not using auto-config=true then you can change the filter name to whatever you want but you must declare the same bean in application context file of Spring e.g. applicationContext.xml or applicationContext-security.xml

5) If you don't want the filter-name and bean name in the Spring security configuration file should be same, you can specify the actual bean name as targetBeanName into filter declaration in web.xml using init-param tags. 

That value is retrieved using FilterConfig object by calling getFilterName() method. 

protected void initFilterBean() throws ServletException {
   synchronized (this.delegateMonitor) {
      if (this.delegate == null) {
        // If no target bean name specified, use filter name.
        if (this.targetBeanName == null) {
           this.targetBeanName = getFilterName();
        }
     .....
      }
   } 
}


5) The DelegatingFilterProxy implements the Filter interface of Servlet package but its doFilter() method just delegates the pre-processing and post-processing to there Spring aware filter implementation. 

6) DelegatingFilterProxy extends GenericFilterBean hence it inherit all initialization code and other abilities of GenericFilterBean

7) If you are running Spring security with default configuration then you must keep the filter name "springSecurityFilterChain" otherwise, Spring security will fail to initialize because it looks for a filter bean with this name. 

Here is also a nice diagram which shows how delegating filter proxy works in Spring security, its also an important Spring Security question so make sure you understand the flow well.


What is the delegating filter proxy in Spring Security? How it works?



That's all about What is delegating filter proxy in Spring Security. As I said, DelegatingFilterProxy class is a Filter which is used to implement Spring Security functionality. This intercept all the request and response and delegate to corresponding Spring security filter in the filter chain. 

This is a very important class because it is the bridge between web container and Spring container. Without this configuration, Spring security will not work because Servlet container will not call the doFilter() method of DelegatingFilterProxy class which delegates the request to response to actual filter classes which implements various security features e.g. login, logout, authentication, authorization, roll checking etc. 

Remember, the DelegatingFilterProxy doesn't implement security aspects it just delegates to Spring beans who are also filter to perform actual security tasks. 


No comments:

Post a Comment