How does the doFilter method of the FilterChainProxy work?

Question

I was going through the source code of the org.springframework.security.web.FilterChainProxy class. I want to undersatnd how its doFilter method work. The following is the code.

public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException 
{
    FilterInvocation fi = new FilterInvocation(request, response, chain);
    List<Filter> filters = getFilters(fi.getRequestUrl());

    if (filters == null || filters.size() == 0) {
        if (logger.isDebugEnabled()) {
            logger.debug(fi.getRequestUrl() +
                    filters == null ? " has no matching filters" : " has an empty filter list");
        }

        chain.doFilter(request, response);

        return;
    }

    VirtualFilterChain virtualFilterChain = new VirtualFilterChain(fi, filters);
    virtualFilterChain.doFilter(fi.getRequest(), fi.getResponse());

}

My understanding is If I define custom filter not related to Spring in the web.xml , they will be included in the FilterChain object passed to the FilterChainProxy (I understand this happens via the DelegatingFilterProxy). Is that correct?

I think the IF block gets executed when there are non-spring Filters defined in the web.xml and when there are no Filters defined in the application context.

VirtualFilterChain here caters for Filters defined in the application text.

There is a return statement in the If block which prevents VirtualFilterChain section getting executed.

But how does this handle both Filters defined in the web.xml and the ones defined in the application context?

Answer 1

the "filterChain" parameter refers to the Servlet filters defined in web.xml. Look at this code in DelegatingFilterProxy.java

public void doFilter(ServletRequest request, ServletResponse response, FilterChain filterChain)
            throws ServletException, IOException {

    // Lazily initialize the delegate if necessary.
    Filter delegateToUse = this.delegate;
    if (delegateToUse == null) {
        ...
    }

    // Let the delegate perform the actual doFilter operation.
    invokeDelegate(delegateToUse, request, response, filterChain);
}

The invokeDelegate(...) is what invokes FilterChainProxy's doFilter(...) method.

List<Filter> filters = getFilters(fi.getRequestUrl());

generates a list of Spring Security filters that match given url (some filters are listed in this section ).

If no Spring Security filters match the requestUrl, the execution just moves on to the rest of the filters defined in web.xml. That's what the if() block is for.

virtualFilterChain.doFilter(fi.getRequest(), fi.getResponse());

This is where Spring Security filters' doFilter(...) methods get called. So, for example, if you have UsernamePasswordAuthenticationFilter as one of the filters configured, then virtualFilterChain.doFilter(...) will eventually invoke UsernamePasswordAuthenticationFilter's doFilter(...) method.