Spring Bootframework~5 mins

SecurityFilterChain configuration in Spring Boot

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Perf

Introduction

SecurityFilterChain controls how your app checks and allows user access. It helps keep your app safe by deciding who can see what.

You want to protect certain pages or APIs in your Spring Boot app.

You need to set up login and logout rules for users.

You want to allow some users to access admin features but block others.

You want to add security checks like requiring HTTPS or blocking certain IPs.

You want to customize how your app handles security without using default settings.

Syntax

Spring Boot

@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
    http
        .authorizeHttpRequests(auth -> auth
            .requestMatchers("/public/**").permitAll()
            .anyRequest().authenticated()
        )
        .formLogin(withDefaults())
        .httpBasic(withDefaults());
    return http.build();
}

This method defines the security rules for your app.

Use requestMatchers to specify which URLs are open or protected.

Examples

This example allows anyone to visit /home and /about without logging in.

Spring Boot

@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
    http
        .authorizeHttpRequests(auth -> auth
            .requestMatchers("/home", "/about").permitAll()
            .anyRequest().authenticated()
        )
        .formLogin(withDefaults());
    return http.build();
}

This example requires users to have ADMIN role to access /admin URLs.

Spring Boot

@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
    http
        .authorizeHttpRequests(auth -> auth
            .requestMatchers("/admin/**").hasRole("ADMIN")
            .anyRequest().authenticated()
        )
        .httpBasic(withDefaults());
    return http.build();
}

This example disables CSRF protection and requires login for all pages.

Spring Boot

@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
    http
        .csrf(csrf -> csrf.disable())
        .authorizeHttpRequests(auth -> auth
            .anyRequest().authenticated()
        )
        .formLogin(withDefaults());
    return http.build();
}

Sample Program

This configuration allows anyone to access URLs under /public without login. All other URLs require the user to log in. It supports form login and basic HTTP login.

Spring Boot

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.web.SecurityFilterChain;
import static org.springframework.security.config.Customizer.withDefaults;

@Configuration
public class SecurityConfig {

    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        http
            .authorizeHttpRequests(auth -> auth
                .requestMatchers("/public/**").permitAll()
                .anyRequest().authenticated()
            )
            .formLogin(withDefaults())
            .httpBasic(withDefaults());
        return http.build();
    }
}

OutputSuccess

Important Notes

Always call http.build() at the end to create the filter chain.

Order of rules matters: more specific URL patterns should come before general ones.

Use permitAll() to allow open access, and authenticated() to require login.

Summary

SecurityFilterChain defines who can access which parts of your app.

Use requestMatchers to set URL rules.

Remember to build and return the chain with http.build().