[[servlet-authorization-filtersecurityinterceptor]] = Authorize HttpServletRequest with FilterSecurityInterceptor :figures: servlet/authorization [NOTE] ==== `FilterSecurityInterceptor` is in the process of being replaced by xref:servlet/authorization/authorize-http-requests.adoc[`AuthorizationFilter`]. Consider using that instead. ==== This section builds on xref:servlet/architecture.adoc#servlet-architecture[Servlet Architecture and Implementation] by digging deeper into how xref:servlet/authorization/index.adoc#servlet-authorization[authorization] works within Servlet-based applications. The {security-api-url}org/springframework/security/web/access/intercept/FilterSecurityInterceptor.html[`FilterSecurityInterceptor`] provides xref:servlet/authorization/index.adoc#servlet-authorization[authorization] for `HttpServletRequest` instances. It is inserted into the xref:servlet/architecture.adoc#servlet-filterchainproxy[FilterChainProxy] as one of the xref:servlet/architecture.adoc#servlet-security-filters[Security Filters]. The following image shows the role of `FilterSecurityInterceptor`: .Authorize HttpServletRequest image::{figures}/filtersecurityinterceptor.png[] image:{icondir}/number_1.png[] The `FilterSecurityInterceptor` obtains an xref:servlet/authentication/architecture.adoc#servlet-authentication-authentication[Authentication] from the xref:servlet/authentication/architecture.adoc#servlet-authentication-securitycontextholder[SecurityContextHolder]. image:{icondir}/number_2.png[] `FilterSecurityInterceptor` creates a {security-api-url}org/springframework/security/web/FilterInvocation.html[`FilterInvocation`] from the `HttpServletRequest`, `HttpServletResponse`, and `FilterChain` that are passed into the `FilterSecurityInterceptor`. image:{icondir}/number_3.png[] It passes the `FilterInvocation` to `SecurityMetadataSource` to get the ``ConfigAttribute``s. image:{icondir}/number_4.png[] It passes the `Authentication`, `FilterInvocation`, and ``ConfigAttribute``s to the `AccessDecisionManager`. image:{icondir}/number_5.png[] If authorization is denied, an `AccessDeniedException` is thrown. In this case, the xref:servlet/architecture.adoc#servlet-exceptiontranslationfilter[`ExceptionTranslationFilter`] handles the `AccessDeniedException`. image:{icondir}/number_6.png[] If access is granted, `FilterSecurityInterceptor` continues with the xref:servlet/architecture.adoc#servlet-filters-review[`FilterChain`], which lets the application process normally. // configuration (xml/java) By default, Spring Security's authorization requires all requests to be authenticated. The following listing shows the explicit configuration: [[servlet-authorize-requests-defaults]] .Every Request Must be Authenticated ==== .Java [source,java,role="primary"] ---- @Bean public SecurityFilterChain filterChain(HttpSecurity http) throws Exception { http // ... .authorizeRequests(authorize -> authorize .anyRequest().authenticated() ); return http.build(); } ---- .XML [source,xml,role="secondary"] ----

---- .Kotlin [source,kotlin,role="secondary"] ---- @Bean open fun filterChain(http: HttpSecurity): SecurityFilterChain { http { // ... authorizeRequests { authorize(anyRequest, authenticated) } } return http.build() } ---- ==== We can configure Spring Security to have different rules by adding more rules in order of precedence: .Authorize Requests ==== .Java [source,java,role="primary"] ---- @Bean public SecurityFilterChain filterChain(HttpSecurity http) throws Exception { http // ... .authorizeRequests(authorize -> authorize // <1> .requestMatchers("/resources/**", "/signup", "/about").permitAll() // <2> .requestMatchers("/admin/**").hasRole("ADMIN") // <3> .requestMatchers("/db/**").access("hasRole('ADMIN') and hasRole('DBA')") // <4> .anyRequest().denyAll() // <5> ); return http.build(); } ---- .XML [source,xml,role="secondary"] ----

---- .Kotlin [source,kotlin,role="secondary"] ---- @Bean open fun filterChain(http: HttpSecurity): SecurityFilterChain { http { authorizeRequests { // <1> authorize("/resources/**", permitAll) // <2> authorize("/signup", permitAll) authorize("/about", permitAll) authorize("/admin/**", hasRole("ADMIN")) // <3> authorize("/db/**", "hasRole('ADMIN') and hasRole('DBA')") // <4> authorize(anyRequest, denyAll) // <5> } } return http.build() } ---- ==== <1> There are multiple authorization rules specified. Each rule is considered in the order they were declared. <2> We specified multiple URL patterns that any user can access. Specifically, any user can access a request if the URL starts with "/resources/", equals "/signup", or equals "/about". <3> Any URL that starts with "/admin/" will be restricted to users who have the role "ROLE_ADMIN". You will notice that since we are invoking the `hasRole` method we do not need to specify the "ROLE_" prefix. <4> Any URL that starts with "/db/" requires the user to have both "ROLE_ADMIN" and "ROLE_DBA". You will notice that since we are using the `hasRole` expression we do not need to specify the "ROLE_" prefix. <5> Any URL that has not already been matched on is denied access. This is a good strategy if you do not want to accidentally forget to update your authorization rules. ==== [[filtersecurityinterceptor-every-request]] == Configure FilterSecurityInterceptor with Dispatcher Types By default, the `FilterSecurityInterceptor` applies to every request. This means that if a request is dispatched from a request that was already filtered, the `FilterSecurityInterceptor` will perform the same authorization checks on the dispatched request. In some scenarios, you may not want to apply authorization on some dispatcher types: .Permit ASYNC and ERROR dispatcher types ==== .Java [source,java,role="primary"] ---- @Bean SecurityFilterChain web(HttpSecurity http) throws Exception { http .authorizeRequests((authorize) -> authorize .dispatcherTypeMatchers(DispatcherType.ASYNC, DispatcherType.ERROR).permitAll() .anyRequest.authenticated() ) // ... return http.build(); } ---- .XML [source,xml] ----

---- ====