Is a filter necessary when using SpringSecurity?

Question

I have a Spring based project using SpringSecurity. This is my configuration bean:

@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends
        WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        // just default options are fine
    }
}

My question is: Is it mandatory to include a filter definition in web.xml file like this?

<filter>
  <filter-name>springSecurityFilterChain</filter-name>
  <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
  <filter-name>springSecurityFilterChain</filter-name>
  <url-pattern>/*</url-pattern>
</filter-mapping>

Or should it work without it if I am using a recent enough Spring version?

My Application Server is Wildfly 10.

Answer 1

Spring Security implements the security by applying a servlet filter. So yes the filter is mandatory. As explained in the reference guide, only time when it isn't required if you don't do servlet security which is in a standalone application or in a reactive web application.

When you are on a Servlet 3.0 container you can use the Spring Security supplied support classes to make it easier to register the filter. See this section of the reference guide. You can use the AbstractSecurityWebApplicationInitializer to register the filter for you.

If you are on an older servlet container you can still use the web.xml to do the same. Either way a filter named springSecurityFilterChain is required.

Answer 2

Since Spring Security 4 you can now use the Java-based configuration for your Security, so the web.xml is obsolete.