Debugging a custom Spring Security Filterchain
Spring Security allows you to intersperse Filters in your application for a given URI pattern. This can get quite complex with multiple URIs and different filter combinations for a given URI (Configurer). Spring Security has a default filterchain and is very well documented. (As Below). But this can get a bit complex with custom Configurers
But there comes a times where you have to identify the Order of a given configuration or URI, in addition to the order of the filters for that configuration.
One way is to document your Filters for an complex application but, at times it can get unwieldy in the age of annotations.
Below are two quick ways to identify the following
a) The Order of the Configurers
b) The order of Filters in a given Configurer
The Order of the Configurers
There can be multiple filters in a given FilterChainProxy. This gives us the flexibility to tailor the filters by URI
Now In addition the the flexibility of the Filters for a given URI Pattern, you can also dictate the order the URI.
The best way to debug the Order of your configuration is to place a breakpoint in SpringSecurityFilterChain.java at startup. This will reveal the Order of the Configurers.
To Illustrate this I’m going to use an implementation of OpenID. The screenshot below illustrates the list of configurers and the order of Configurers that the application is going to encounter.
The order Filters in a given Configurer
The order of filters in a given configurer can be quite complex and debugging a configuration at runtime can get quite time consuming. A bird’s eye view of the filters can be again obtained at startup.
A quick view can be obtained from SpringSecurityFilterChain.java
Now you can also go very detailed down to the filter order number (Note: The Filter order number here may not match the number you’ve had provided. But, it will still be place relatively in the same order)
This should give you enough to not only debug your ordering but, also will give you a better insight into the chain.
Checking the Filter chain at runtime
Every request goes through process of identifying and matching for a filter chain in ApplicationFilterFactory
public static ApplicationFilterChain createFilterChain(ServletRequest request,
Wrapper wrapper, Servlet servlet)
This is where it matches for a given URI
The match can help you identify which Filter chain was picked up and how the match was performed
This will ultimately provide the list of filters that got added to the chain
Recommended Reading
Summary
For those who have really felt the pain and ignorance of the “Spring magic”, I hope this adds helps you not reinvent the wheel or lose time debugging spring Security Filter chain.