Home/ Questions/Q 8987363
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-15T21:46:19+00:00

I was following this tutorial: http://www.mkyong.com/spring-security/spring-security-hello-world-example/ In the spring-security-xml <http auto-config=true> <intercept-url pattern=/welcome* access=ROLE_USER

  • 0

I was following this tutorial:
http://www.mkyong.com/spring-security/spring-security-hello-world-example/

In the spring-security-xml

<http auto-config="true">
    <intercept-url pattern="/welcome*" access="ROLE_USER" />
</http>

And in the web.xml, we must define the actual filter

<!-- Spring Security -->
<filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>
              org.springframework.web.filter.DelegatingFilterProxy
            </filter-class>
</filter>

<filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

So I don’t get this, we are mapping the interception to 2 urls in 2 places. To /welcome* and /*. Why we need both of these? Am I missing something here?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    DelegatingFilterProxy is not a Spring Security class. It is from Spring Web package.

    Proxy for a standard Servlet 2.3 Filter, delegating to a
    Spring-managed bean that implements the Filter interface. Supports a
    “targetBeanName” filter init-param in web.xml, specifying the name
    of the target bean in the Spring application context.

    When you use

    <http auto-config="true">

</http>

    Spring Security creates (implicitly) bean with name springSecurityFilterChain (that’s why you have <filter-name>springSecurityFilterChain</filter-name> in your web.xml) and all requests (/*) are processed by it (by Spring Security).

    Then you configure Spring Security and give it more specific URL (/*welcome). 

    <intercept-url pattern="/welcome*" access="ROLE_USER" />

    It’s like saying:

    • All URL requests (/*) should be investigated by Spring Security
    • When URL matches /welcome* principal should have ROLE_USER role.

    If your application requires more advanced security processing you can create that filter chain bean by yourself and configure all filters manually.

    Example:

    <!-- Filter Chain -->
<bean id="springSecurityFilterChain"
      class="org.springframework.security.web.FilterChainProxy">
    <constructor-arg>
        <list>
            <sec:filter-chain pattern="/favicon.ico"
                              filters="none"/>

            <sec:filter-chain pattern="/img/**"
                              filters="none"/>

            <sec:filter-chain pattern="/**" 
                 filters="bannedIPsFilter, <!-- custom filter -->
                         channelProcessingFilter,
                         securityContextPersistenceFilter,
                         concurrentSessionFilter,
                         logoutFilter,
                         secondAuthenticationFilter, <!-- custom filter -->
                         openIDAuthenticationFilter,
                         usernamePasswordAuthenticationFilter,
                         anonymousAuthenticationFilter,
                         captchaFilter, <!-- custom filter -->
                         sessionManagementFilter,
                         exceptionTranslationFilter,
                         filterSecurityInterceptor,
                         switchUserProcessingFilter"
                    />
        </list>
    </constructor-arg>
</bean>
    • 0