3 Ways to List all Spring Security Filters

You know, Spring Security manages a list of filters called securityFilterChain. These filters intercept requests to apply authentication, authorization and other security measures for exploit protection. Sometimes, we need to know the exact names and order of all spring security filters registered in the current Spring application, for testing, debugging and development purposes. For example, knowing the exact order of filters helps determine where to add a custom filter to the chain (add filter before or add filter after).

In this article, I’d like to share 3 simple ways to know the list of all Spring security filters that are registered in the current Spring application.

1. Look at Logs in the console

This is the easiest way. When your Spring application starts, look at the logs at the very beginning. You might see this line:

o.s.s.web.DefaultSecurityFilterChain - Will secure any request with [list of filters]

For example, below is a list of all Spring Security filters that can be easily spotted in the application’s console:

[org.springframework.security.web.session.DisableEncodeUrlFilter@11959ec3, 
org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@36005351, 
org.springframework.security.web.context.SecurityContextHolderFilter@327f05cd, 
org.springframework.security.web.header.HeaderWriterFilter@6939864d, 
org.springframework.web.filter.CorsFilter@79b6878a, 
org.springframework.security.web.csrf.CsrfFilter@765fdc84, 
org.springframework.security.web.authentication.logout.LogoutFilter@7271589, 
org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter@5cf29894, 
org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter@5e99d17c, 
org.springframework.security.web.authentication.ui.DefaultLogoutPageGeneratingFilter@4af91d66, 
org.springframework.security.web.authentication.www.BasicAuthenticationFilter@6318854d, 
org.springframework.security.web.savedrequest.RequestCacheAwareFilter@2f6cbf91, 
org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@55984a5f, 
org.springframework.security.web.authentication.AnonymousAuthenticationFilter@77a7e17c, 
org.springframework.security.web.access.ExceptionTranslationFilter@b50420d, 
org.springframework.security.web.access.intercept.AuthorizationFilter@d4233c7]

This is the list of all filters in the default security filter chain. It prints the fully qualified names of filter, so it’s a little bit difficult to read. Note that the filters may vary depending the security configuration of each application.

If you don’t see this kind of log, use the second method explained below.

2. Using @EnableWebSecurity Annotation

In this second way, annotate any @Configuration class with the @EnableWebSecurity annotation with debug attribute enabled, for example:

@Configuration
@EnableWebSecurity(debug = true)
public class SecurityConfig {
    ...
}

When the first request hits the application, it will print all filters in the security filter chain in the application’s console in a nice format, like this:

Security filter chain: [
  DisableEncodeUrlFilter
  WebAsyncManagerIntegrationFilter
  SecurityContextHolderFilter
  HeaderWriterFilter
  CorsFilter
  LogoutFilter
  BearerTokenAuthenticationFilter
  BasicAuthenticationFilter
  RequestCacheAwareFilter
  SecurityContextHolderAwareRequestFilter
  AnonymousAuthenticationFilter
  SessionManagementFilter
  ExceptionTranslationFilter
  AuthorizationFilter
]

Also note that this list may vary depending the security configuration of your Spring application.

3. List all Spring Security Filters Programmatically

In this third way, we create a @Component class that implements CommandLineRunner interface so its run() method will be executed right after the application starts. And in this method, we print all filters registered to the securityFilterChain object, as shown below:

package net.codejava;

import java.util.List;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.CommandLineRunner;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.stereotype.Component;

import jakarta.servlet.Filter;

@Component
public class SecurityFiltersPrinter implements CommandLineRunner {

	@Autowired SecurityFilterChain securityFilterChain;
	
	@Override
	public void run(String... args) throws Exception {
		List<Filter> filters = securityFilterChain.getFilters();
		filters.forEach(filter -> System.out.println(filter.getClass().getSimpleName()));
	}

}

And this is a sample output:

DisableEncodeUrlFilter
WebAsyncManagerIntegrationFilter
SecurityContextHolderFilter
HeaderWriterFilter
CorsFilter
LogoutFilter
BearerTokenAuthenticationFilter
BasicAuthenticationFilter
RequestCacheAwareFilter
SecurityContextHolderAwareRequestFilter
AnonymousAuthenticationFilter
SessionManagementFilter
ExceptionTranslationFilter
AuthorizationFilter

From this list, you’ll get helpful information for understanding and customizing security aspects of your Spring application. Watch the following video to see the coding in action:

So far, I have shared 3 different ways to list all Spring security filters in a running Spring application. Hope you find my article helpful, and check out my other Spring Security tutorials below.

Learn more about Spring Security:

• Spring Security Registration and Login Tutorial
• Spring Security Role-based Authorization Tutorial
• Spring Security Remember Me Examples
• Spring Security Forgot Password Tutorial 
• Spring Security Social Login with Google and Facebook
• Full Spring Security Tutorials List

About the Author:

Nam Ha Minh is certified Java programmer (SCJP and SCWCD). He began programming with Java back in the days of Java 1.4 and has been passionate about it ever since. You can connect with him on Facebook and watch his Java videos on YouTube.