You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
@@ -164,46 +164,224 @@ In fact, a `SecurityFilterChain` might have zero security ``Filter``s if the app
164
164
[[servlet-security-filters]]
165
165
== Security Filters
166
166
167
+
Spring Security uses a number of Servlet Filters (https://jakarta.ee/specifications/servlet/5.0/jakarta-servlet-spec-5.0.pdf[Jakarta Servlet Spec, Chapter 6]) to provide security to your application.
167
168
The Security Filters are inserted into the <<servlet-filterchainproxy>> with the <<servlet-securityfilterchain>> API.
168
-
The <<servlet-filters-review,order of ``Filter``>>s matters.
169
+
Those filters can be used for a number of different purposes, like xref:servlet/authentication/index.adoc[authentication], xref:servlet/authorization/index.adoc[authorization], xref:servlet/exploits/index.adoc[exploit protection], and more.
170
+
The filters are executed in a specific order to guarantee that they are invoked at the right time, for example, the `Filter` that performs authentication should be invoked before the `Filter` that performs authorization.
169
171
It is typically not necessary to know the ordering of Spring Security's ``Filter``s.
170
-
However, there are times that it is beneficial to know the ordering
171
-
172
-
Below is a comprehensive list of Spring Security Filter ordering:
However, there are times that it is beneficial to know the ordering, if you want to know them, you can check the {gh-url}/config/src/main/java/org/springframework/security/config/annotation/web/builders/FilterOrderRegistration.java[`FilterOrderRegistration` code].
173
+
174
+
To exemplify the above paragraph, let's consider the following security configuration:
175
+
176
+
====
177
+
.Java
178
+
[source,java,role="primary"]
179
+
----
180
+
@Configuration
181
+
@EnableWebSecurity
182
+
public class SecurityConfig {
183
+
184
+
@Bean
185
+
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
1. First, the `CsrfFilter` is invoked to protect against xref:servlet/exploits/csrf.adoc[CSRF attacks].
236
+
2. Second, the authentication filters are invoked to authenticate the request.
237
+
3. Third, the `AuthorizationFilter` is invoked to authorize the request.
238
+
239
+
[NOTE]
240
+
====
241
+
There might be other `Filter` instances that are not listed above.
242
+
If you want to see the list of filters invoked for a particular request, you can <<servlet-print-filters,print them>>.
243
+
====
244
+
245
+
[[servlet-print-filters]]
246
+
=== Printing the Security Filters
247
+
248
+
Often times, it is useful to see the list of security ``Filter``s that are invoked for a particular request.
249
+
For example, you want to make sure that the <<adding-custom-filter,filter you have added>> is in the list of the security filters.
250
+
251
+
The list of filters is printed at INFO level on the application startup, so you can see something like the following on the console output for example:
252
+
253
+
[source,text,role="terminal"]
254
+
----
255
+
2023-06-14T08:55:22.321-03:00 INFO 76975 --- [ main] o.s.s.web.DefaultSecurityFilterChain : Will secure any request with [
And that will give a pretty good idea of the security filters that are configured for <<servlet-securityfilterchain,each filter chain>>.
274
+
275
+
But that is not all, you can also configure your application to print the invocation of each individual filter for each request.
276
+
That is helpful to see if the filter you have added is invoked for a particular request or to check where an exception is coming from.
277
+
To do that, you can configure your application to <<servlet-logging,log the security events>>.
278
+
279
+
[[adding-custom-filter]]
280
+
=== Adding a Custom Filter to the Filter Chain
281
+
282
+
Mostly of the times, the default security filters are enough to provide security to your application.
283
+
However, there might be times that you want to add a custom `Filter` to the security filter chain.
284
+
285
+
For example, let's say that you want to add a `Filter` that gets a tenant id header and check if the current user has access to that tenant.
286
+
The previous description already gives us a clue on where to add the filter, since we need to know the current user, we need to add it after the authentication filters.
throw new AccessDeniedException("Access denied"); <4>
318
+
}
319
+
320
+
}
321
+
322
+
----
323
+
324
+
The sample code above does the following:
325
+
326
+
<1> Get the tenant id from the request header.
327
+
<2> Check if the current user has access to the tenant id.
328
+
<3> If the user has access, then invoke the rest of the filters in the chain.
329
+
<4> If the user does not have access, then throw an `AccessDeniedException`.
330
+
331
+
[TIP]
332
+
====
333
+
Instead of implementing `Filter`, you can extend from {spring-framework-api-url}org/springframework/web/filter/OncePerRequestFilter.html[OncePerRequestFilter] which is a base class for filters that are only invoked once per request and provides a `doFilterInternal` method with the `HttpServletRequest` and `HttpServletResponse` parameters.
334
+
====
335
+
336
+
Now, we need to add the filter to the security filter chain.
<1> Use `HttpSecurity#addFilterBefore` to add the `TenantFilter` before the `AuthorizationFilter`.
364
+
365
+
By adding the filter before the `AuthorizationFilter` we are making sure that the `TenantFilter` is invoked after the authentication filters.
366
+
You can also use `HttpSecurity#addFilterAfter` to add the filter after a particular filter or `HttpSecurity#addFilterAt` to add the filter at a particular filter position in the filter chain.
367
+
368
+
And that's it, now the `TenantFilter` will be invoked in the filter chain and will check if the current user has access to the tenant id.
369
+
370
+
Be careful when you declare your filter as a Spring bean, either by annotating it with `@Component` or by declaring it as a bean in your configuration, because Spring Boot will automatically {spring-boot-reference-url}web.html#web.servlet.embedded-container.servlets-filters-listeners.beans[register it with the embedded container].
371
+
That may cause the filter to be invoked twice, once by the container and once by Spring Security and in a different order.
372
+
373
+
If you still want to declare your filter as a Spring bean to take advantage of dependency injection for example, and avoid the duplicate invocation, you can tell Spring Boot to not register it with the container by declaring a `FilterRegistrationBean` bean and setting its `enabled` property to `false`:
374
+
375
+
[source,java]
376
+
----
377
+
@Bean
378
+
public FilterRegistrationBean<TenantFilter> tenantFilterRegistration(TenantFilter filter) {
379
+
FilterRegistrationBean<TenantFilter> registration = new FilterRegistrationBean<>(filter);
380
+
registration.setEnabled(false);
381
+
return registration;
382
+
}
383
+
----
384
+
207
385
208
386
[[servlet-exceptiontranslationfilter]]
209
387
== Handling Security Exceptions
@@ -333,3 +511,52 @@ XML::
333
511
=== RequestCacheAwareFilter
334
512
335
513
The {security-api-url}org/springframework/security/web/savedrequest/RequestCacheAwareFilter.html[`RequestCacheAwareFilter`] uses the <<requestcache,`RequestCache`>> to save the `HttpServletRequest`.
514
+
515
+
[[servlet-logging]]
516
+
== Logging
517
+
518
+
Spring Security provides comprehensive logging of all security related events at the DEBUG and TRACE level.
519
+
This can be very useful when debugging your application because for security measures Spring Security does not add any detail of why a request has been rejected to the response body.
520
+
If you come across a 401 or 403 error, it is very likely that you will find a log message that will help you understand what is going on.
521
+
522
+
Let's consider an example where a user tries to make a `POST` request to a resource that has xref:servlet/exploits/csrf.adoc[CSRF protection] enabled without the CSRF token.
523
+
With no logs, the user will see a 403 error with no explanation of why the request was rejected.
524
+
However, if you enable logging for Spring Security, you will see a log message like this:
525
+
526
+
[source,text]
527
+
----
528
+
2023-06-14T09:44:25.797-03:00 DEBUG 76975 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : Securing POST /hello
2023-06-14T09:44:25.814-03:00 DEBUG 76975 --- [nio-8080-exec-1] o.s.security.web.csrf.CsrfFilter : Invalid CSRF token found for http://localhost:8080/hello
535
+
2023-06-14T09:44:25.814-03:00 DEBUG 76975 --- [nio-8080-exec-1] o.s.s.w.access.AccessDeniedHandlerImpl : Responding with 403 status code
536
+
2023-06-14T09:44:25.814-03:00 TRACE 76975 --- [nio-8080-exec-1] o.s.s.w.header.writers.HstsHeaderWriter : Not injecting HSTS header since it did not match request to [Is Secure]
537
+
----
538
+
539
+
It becomes clear that the CSRF token is missing and that is why the request is being denied.
540
+
541
+
To configure your application to log all the security events, you can add the following to your application:
0 commit comments