Talk about FilterSecurityInterceptor



This article will take a look at spring security’s FilterSecurityInterceptor.


The previous article talked about how SecurityContextRepossentialFilter reads and writes the context from the session. It also talks about how AbstractAuthenticationProcessingFilter writes authentication successfully into the context. So how does spring security handle requests without authentication? The answer lies in FilterSecurityInterceptor.

Filter order

Various filter built into spring security:

Alias Filter Class Namespace Element or Attribute
CHANNEL_FILTER ChannelProcessingFilter http/intercept-url@requires-channel
SECURITY_CONTEXT_FILTER SecurityContextPersistenceFilter http
CONCURRENT_SESSION_FILTER ConcurrentSessionFilter session-management/concurrency-control
HEADERS_FILTER HeaderWriterFilter http/headers
CSRF_FILTER CsrfFilter http/csrf
LOGOUT_FILTER LogoutFilter http/logout
X509_FILTER X509AuthenticationFilter http/x509
PRE_AUTH_FILTER AbstractPreAuthenticatedProcessingFilter Subclasses N/A
CAS_FILTER CasAuthenticationFilter N/A
FORM_LOGIN_FILTER UsernamePasswordAuthenticationFilter http/form-login
BASIC_AUTH_FILTER BasicAuthenticationFilter http/http-basic
SERVLET_API_SUPPORT_FILTER SecurityContextHolderAwareRequestFilter http/@servlet-api-provision
JAAS_API_SUPPORT_FILTER JaasApiIntegrationFilter http/@jaas-api-provision
REMEMBER_ME_FILTER RememberMeAuthenticationFilter http/remember-me
ANONYMOUS_FILTER AnonymousAuthenticationFilter http/anonymous
SESSION_MANAGEMENT_FILTER SessionManagementFilter session-management
EXCEPTION_TRANSLATION_FILTER ExceptionTranslationFilter http
FILTER_SECURITY_INTERCEPTOR FilterSecurityInterceptor http


spring-security-web-4.2.3.RELEASE-sources.jar! /org/springframework/security/web/access/intercept/

 * Performs security handling of HTTP resources via a filter implementation.
 * <p>
 * The <code>SecurityMetadataSource</code> required by this security interceptor is of
 * type {@link FilterInvocationSecurityMetadataSource}.
 * <p>
 * Refer to {@link AbstractSecurityInterceptor} for details on the workflow.
 * </p>
 * @author Ben Alex
 * @author Rob Winch
public class FilterSecurityInterceptor extends AbstractSecurityInterceptor implements
        Filter {
     * Method that is actually called by the filter chain. Simply delegates to the
     * {@link #invoke(FilterInvocation)} method.
     * @param request the servlet request
     * @param response the servlet response
     * @param chain the filter chain
     * @throws IOException if the filter chain fails
     * @throws ServletException if the filter chain fails
    public void doFilter(ServletRequest request, ServletResponse response,
            FilterChain chain) throws IOException, ServletException {
        FilterInvocation fi = new FilterInvocation(request, response, chain);
public void invoke(FilterInvocation fi) throws IOException, ServletException {
        if ((fi.getRequest() != null)
                && (fi.getRequest().getAttribute(FILTER_APPLIED) != null)
                && observeOncePerRequest) {
            // filter already applied to this request and user wants us to observe
            // once-per-request handling, so don't re-do security checking
            fi.getChain().doFilter(fi.getRequest(), fi.getResponse());
        else {
            // first time this request being called, so perform security checking
            if (fi.getRequest() != null) {
                fi.getRequest().setAttribute(FILTER_APPLIED, Boolean.TRUE);

            InterceptorStatusToken token = super.beforeInvocation(fi);

            try {
                fi.getChain().doFilter(fi.getRequest(), fi.getResponse());
            finally {

            super.afterInvocation(token, null);

All requests reach this filter. If this filter has not been executed before, then the first execution is InterceptorStateToken = Super. Before Invocation (FI); This is provided by AbstractSecurityInterceptor. It is the gateway for spring security to handle authentication.


spring-security-core-4.2.3.RELEASE-sources.jar! /org/springframework/security/access/intercept/

protected InterceptorStatusToken beforeInvocation(Object object) {
        Assert.notNull(object, "Object was null");
        final boolean debug = logger.isDebugEnabled();

        if (!getSecureObjectClass().isAssignableFrom(object.getClass())) {
            throw new IllegalArgumentException(
                    "Security invocation attempted for object "
                            + object.getClass().getName()
                            + " but AbstractSecurityInterceptor only configured to support secure objects of type: "
                            + getSecureObjectClass());

        Collection<ConfigAttribute> attributes = this.obtainSecurityMetadataSource()

        if (attributes == null || attributes.isEmpty()) {
            if (rejectPublicInvocations) {
                throw new IllegalArgumentException(
                        "Secure object invocation "
                                + object
                                + " was denied as public invocations are not allowed via this interceptor. "
                                + "This indicates a configuration error because the "
                                + "rejectPublicInvocations property is set to 'true'");

            if (debug) {
                logger.debug("Public object - authentication not attempted");

            publishEvent(new PublicInvocationEvent(object));

            return null; // no further work post-invocation

        if (debug) {
            logger.debug("Secure object: " + object + "; Attributes: " + attributes);

        if (SecurityContextHolder.getContext().getAuthentication() == null) {
                    "An Authentication object was not found in the SecurityContext"),
                    object, attributes);

        Authentication authenticated = authenticateIfRequired();

        // Attempt authorization
        try {
            this.accessDecisionManager.decide(authenticated, object, attributes);
        catch (AccessDeniedException accessDeniedException) {
            publishEvent(new AuthorizationFailureEvent(object, attributes, authenticated,

            throw accessDeniedException;

        if (debug) {
            logger.debug("Authorization successful");

        if (publishAuthorizationSuccess) {
            publishEvent(new AuthorizedEvent(object, attributes, authenticated));

        // Attempt to run as a different user
        Authentication runAs = this.runAsManager.buildRunAs(authenticated, object,

        if (runAs == null) {
            if (debug) {
                logger.debug("RunAsManager did not change Authentication object");

            // no further work post-invocation
            return new InterceptorStatusToken(SecurityContextHolder.getContext(), false,
                    attributes, object);
        else {
            if (debug) {
                logger.debug("Switching to RunAs Authentication: " + runAs);

            SecurityContext origCtx = SecurityContextHolder.getContext();

            // need to revert to token.Authenticated post-invocation
            return new InterceptorStatusToken(origCtx, true, attributes, object);

AccessDecisionManager is called here to judge. If there is no login status, it will pass through before reaching this Filter, and its Authentication value is AnonymousAuthenticationToken. If the anonymous request requires a url in the login state, or if the permissions are insufficient, the AccessDeniedException is thrown.


Spring security’s two entry filter are as follows:

  • AbstractAuthenticationProcessingFilter(Mainly deal with login)
  • FilterSecurityInterceptor(Mainly dealing with authentication)

However, SecurityContextInstanceFilter mainly prepares the context for these two filter.