Inquire Spring Security Filter Chain Order

Question

I opened the issue because I had an inquiry regarding the Spring Security default Filter Chains order.

[ What I know ]

Basically, the order of Filter Chains provided by Spring Security is as follows.

1. SecurityContextPersistenceFilter
2. LogoutFilter
3. UsernamePasswordAuthenticationFilter
4. ConcurrentSessionFilter
5. RememberMeAuthenticationFilter
6. AnonymousAuthenticationFilter
7. SessionManagementFilter
8. ExceptionTranslationFilter
9. FilterSecurityInterceptor

Among these, the part I would like to inquire about the order is ExceptionTranslationFilter.

According to my understanding, the ExceptionTranslationFilter serves to huddle the AuthenticationException, Access DeniedException that occurs in logic after the corresponding Filter. I understand that AuthenticationException is handled by AuthenticationEntryPoint and AccessDeniedException is handled by AccessDeniedHandler.

And I understand that this Authentication Entry Point and Access DeniedHandler can be customized to the HttpSecurity object in Security Config as follows.

http.exceptionHandling()
        .authenticationEntryPoint(customEntryPoint)
        .accessDeniedHandler(customAccessDeniedHandler)

[ Issue ]

I wonder why the order of UsernamePasswordAuthenticationFilter is ahead of ExceptionTranslationFilter among the Filter Chains I wrote earlier.

UsernamePasswordAuthenticationFilter is an object that inherits AbstractAuthenticationProcessingFilter and performs authentication using Username and Password in a FormLogin environment. Failure to authenticate during this process may, of course, result in AuthenticationException, which is handled by the AuthenticationFailureHandler, which is registered (or customized) by default with Abstract Authentication Processing Filter.

Of course, there is a way to add an AuthenticationException that occurs on that Filter to handle it as a customized Authentication Entry Point, If UsernamePasswordAuthenticationFilter was located behind ExceptionTranslationFilter by default, it would have been possible to handle exceptions using customized AuthenticationEntryPoint without any setting.

http.exceptionHandling()
        .authenticationEntryPoint(customEntryPoint)

When registering a customized Authentication Entry Point through the above code, of course, we expect errors during the authentication process to be handled here, but this is not the case. Can I know the history of the order of the Spring Security Filter Chains?

http.exceptionHandling()
        .authenticationEntryPoint(customEntryPoint)
        .accessDeniedHandler(customAccessDeniedHandler)

Answer 1

I wonder why the order of UsernamePasswordAuthenticationFilter is ahead of ExceptionTranslationFilter among the Filter Chains I wrote earlier.

I dont understand what you mean ahead?

First of all the full list and the order is clearly described in the docs

Second of all, the list should be read down to up and then back down again for the response.

So first spring security intercepts the request, if http security is configured. The interception is done in the FilterSecurityInterceptor filter. Then the requests enters the ExceptionTranslationFilter which as you mentioned, catches all security related exceptions further down the chain as pointed out in the docs here or as you can see in the direct source code here.

Later on we enter the UsernamePasswordAuthenticationFilter and if authentication fails, an exception is thrown and is caught in the ExceptionTranslationFilter etc.

So tbh, i think you have read the list the wrong way around.

If you want to learn about the filters, create a spring security application from spring initialzr. Enable TRACE logs, enable FormLogin. Set a breakpoint in the FilterChainProxy class and then post a username and password as form parameters to /login and then start step debugging. You will then walk through the entire filter chain, and get all the logs out while doing it.