sonali kumari shahi

Posted on Jun 5

Security Filter Chain Explained: The Heart of Spring Security

#java #webdev #beginners #security

After learning about Authentication and Authorization, I came across another important term in Spring Security:

Security Filter Chain

Almost every request in a Spring Security application passes through it.

But what exactly is it, and why is it so important?

Let's understand it with a simple example.

What is the Security Filter Chain?

The Security Filter Chain is a collection of filters that process every incoming request before it reaches your controller.

Client Request
↓
Security Filter Chain
↓
Controller
↓
Response

Think of it as a security checkpoint.

Before allowing a request to enter your application, Spring Security performs multiple checks.

Why Do We Need It?

Imagine a shopping mall without security guards.
Anyone could walk in and access restricted areas.
Similarly, without security checks, anyone could access your APIs.

The Security Filter Chain helps Spring Security:

Identify users
Verify credentials
Check permissions
Handle security-related exceptions

What Happens Inside the Filter Chain?

When a request enters the application, multiple filters examine it one by one.

For example:

Is the user authenticated?
Does the request contain a valid JWT token?
Does the user have the required role?
Is access allowed for this endpoint?

Each filter has a specific responsibility.

If any check fails, the request is stopped immediately.

A Simple Example

Suppose a user tries to access:

GET /api/customers

The request first enters the Security Filter Chain.

Request
↓
Filter 1: Authentication Check
↓
Filter 2: Authorization Check
↓
Controller

If authentication fails:
Request
↓
Authentication Failed ❌
↓
Access Denied

The controller is never reached.

Defining a Security Filter Chain

In modern Spring Security, we configure security using a SecurityFilterChain bean.

@Bean 
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { 

http 
     .authorizeHttpRequests(auth -> auth
        .requestMatchers("/admin/**").hasRole("ADMIN")
        .anyRequest().authenticated() 
     )
     .formLogin(); 

  return http.build(); 
}

In this configuration:

/admin/** can only be accessed by ADMIN users.
All other requests require authentication.
Spring automatically creates the required security filters.

What Happens Internally?

When a request comes in:

The request enters the Security Filter Chain.
Authentication filters verify the user.
Authorization filters check permissions.
If everything is valid, the request reaches the controller.

Client Request
↓
Security Filter Chain
↓
Authentication
↓
Authorization
↓
Controller
↓
Response

Why Is It Important?

One thing I found interesting is that Spring Security doesn't protect controllers directly.
Instead, it protects the application by intercepting requests before they reach the controller.
This is why even if your controller exists, unauthorized users cannot access it.
The Security Filter Chain acts as the first line of defense.

The Big Takeaway

The Security Filter Chain is the backbone of Spring Security.

Whenever a request enters your application:

✅ It passes through multiple security filters

✅ Authentication is verified

✅ Authorization is checked

✅ Only valid requests reach the controller

A simple way to remember it is:

The Security Filter Chain is the gatekeeper of your application.

Understanding this concept made many Spring Security features easier for me to understand, and I hope it helps you too. 🚀

DEV Community