Spring Book – Chapter 15 – Web Application Security with Spring

Spring Security has various predefined servlet filters already in place which can be used for various security checks. The working of filters while request reaches to the secured resource/item in a web application having Spring Security can be pictorially shown as in Figure 15-4 below.

Figure 15-4. Spring Security filters in action accomplishing appropriate security tasks

Figure 15-4. Spring Security filters in action accomplishing appropriate security tasks

Table 15-1 below shows all the Spring Security filters available with the Spring Security module and what is the security related task it does for your web application security.

Table 15-1. Spring Security filters and its purpose

Filter Description
ChannelProcessingFilter According to protocol requirement (HTTP or HTTPS), it redirects it accordingly.
ConcurrentSessionFilter Ensured user doesn’t have more than set number of sessions.


Responsible for binding SecurityContext to the SecurityContextHolder at the beginning of a web request and any changes to it it is this filters responsibility to copy it to the web session when the request ends.


Processes an authentication form submission containing two parameters namely username  and password.
CasAuthenticationFilter Processes a CAS processing ticket, obtains proxy granting tickets, and processes proxy tickets to do the authentication.
BasicAuthenticationFilter Processes a HTTP basic authorization headers and does the authentication.
DigestAuthenticationFilter Processes a HTTP digest authorization headers and does the authentication.


Populates the ServletRequest with a request wrapper which implements the servlet API security methods.
JaasApiIntegrationFilter Attempts to obtain a JAAS Subject and continue the FilterChain running as that Subject.
RememberMeAuthenticationFilter Detects if there is no Authentication object in the SecurityContext, and populates the context with a remember-me authentication token.
AnonymousAuthenticationFilter Detects if there is no Authentication object in the SecurityContextHolder, and populates it with one if needed.
ExceptionTranslationFilter Translates exception raised during authentication and authorization. For example, if there is AuthenticationException, it translates and redirects the user to a login page.
FilterSecurityInterceptor Entrusted with the responsibility of safe-guarding the Web URL and redirecting the accessing user if they don’t have the necessary access.

Page Visitors: 10981

The following two tabs change content below.
Tomcy John

Tomcy John

Blogger & Author at javacodebook
He is an Enterprise Java Specialist holding a degree in Engineering (B-Tech) with over 10 years of experience in several industries. He's currently working as Principal Architect at Emirates Group IT since 2005. Prior to this he has worked with Oracle Corporation and Ernst & Young. His main specialization is on various web technologies and acts as chief mentor and Architect to facilitate incorporating Spring as Corporate Standard in the organization.
Tomcy John

Latest posts by Tomcy John (see all)

Leave a Reply

Your email address will not be published. Required fields are marked *