Java Reference
In-Depth Information
The
filterInvocationDefinitionSource
is the key property for the
FilterChainProxy
. It
defines a ruleset for invoking the filters. As shown in Listing 6-3, it will convert an incom-
ing request URL to lowercase before any comparison. It will use Apache Ant-based
pattern matching to map an incoming request to the Spring Security filters. In this exam-
ple, all the incoming requests will pass through five filters. (I will get into the core of
Spring Security in a while and explain the functions of each of these filters.) There are
several other concrete filter implementations provided by Spring. You can refer to the
Spring Security documentation at
http://static.springframework.org/spring-security/
site/index.html
for more details about them. For our purposes in this section, these five
will be sufficient.
The
httpSessionContextIntegrationFilter
filter will be the first filter to be executed
when the request reaches
FilterChainProxy
. The ordering is important because one filter
may depend on the value set by the preceding or succeeding ones. In other words, setting
the filters in a different order may lead to unpredictable results. Figure 6-3 shows the
filter chaining.
Figure 6-3.
Filter chaining in Spring Security
Session Context Integration Filter (SCIF)
This is the first of the five filters in the chain that is executed in Spring Security. SCIF
checks whether an
HttpSession
has been started, and it contains a security context object.
If the
SecurityContext
object is not found, it creates a new instance of this object. SCIF
puts the security context object in a temporary placeholder called a
security context
holder
for the other filters in the chain to access and update important information such
