What's the point of Spring MVC's DelegatingFilterProxy?

Question

I see this in my Spring MVC app\'s web.xml:

    springSecurityFilterCh         


        

Answer 1

There's some kind of magic here, but at the end, everything is a deterministic program.

The DelegatingFilterProxy is a Filter as it was explained above, whose goal is "delegating to a Spring-managed bean that implements the Filter interface", that is, it finds a bean ("target bean" or "delegate") in your Spring application context and invokes it. How is it possible? Because this bean implements javax.servlet.Filter, its doFilter method is called.

Which bean is called? the DelegatingFilterProxy "Supports a "targetBeanName" [...], specifying the name of the target bean in the Spring application context."

As you saw in your web.xml that the bean's name is "springSecurityFilterChain".

So, in the context of a web application, a Filter instantiates a bean called "springSecurityFilterChain" in your application context and then delegate to it via the doFilter() method.

Remember, your application context is defined with ALL THE APPLICATION-CONTEXT (XML) files. For instance: applicationContext.xml AND applicationContext-security.xml.

So try to find a bean called "springSecurityFilterChain" in the latter...

...and probably you can't (for instance if you followed a tutorial or if you configured the security using Roo)

Here is the magic: there's a new element for configuring the security, something like

<http auto-config="true" use-expressions="true"> 

as it is allowed by http://www.springframework.org/schema/security/spring-security-3.0.xsd, will do the trick.

When Spring loads the application context using XML files, if it finds a element, it will try to set up the HTTP security, that is, a filter stack and protected URLs and to register the FilterChainProxy named "springSecurityFilterChain".

Alternatively, you can define the bean in the classic way, that is:

<beans:bean id="springSecurityFilterChain" class="org.springframework.security.web.FilterChainProxy">

But it's less recommended, since you need to do a lot of configuration (all the filters that you're going to use. And there are more than a dozen of them)