Spring Bootframework~30 mins

SecurityFilterChain configuration in Spring Boot - Mini Project: Build & Apply

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Perf

SecurityFilterChain configuration

📖 Scenario: You are building a simple Spring Boot web application that needs basic security setup.You want to configure which URLs require authentication and which do not.

🎯 Goal: Create a SecurityFilterChain bean that configures HTTP security to allow public access to the home page and require authentication for all other requests.

📋 What You'll Learn

Create a SecurityFilterChain bean method named securityFilterChain

Use HttpSecurity to configure security

Allow all requests to / without authentication

Require authentication for any other request

Enable form login for authentication

💡 Why This Matters

🌍 Real World

Web applications often need to control which pages users can see without logging in and which require login. This setup is a common starting point.

💼 Career

Understanding SecurityFilterChain configuration is essential for backend developers working with Spring Boot to secure web applications.

Progress0 / 4 steps

Create SecurityFilterChain bean method

Create a method named securityFilterChain that returns SecurityFilterChain and accepts a parameter HttpSecurity http. Annotate this method with @Bean.

Spring Boot

import org.springframework.context.annotation.Bean;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.web.SecurityFilterChain;

public class SecurityConfig {
    // Create securityFilterChain method here
}

Need a hint?

Define a method with @Bean annotation that returns SecurityFilterChain and takes HttpSecurity http as parameter.

Configure public access to home page

Inside the securityFilterChain method, configure http to allow all requests to "/" without authentication using authorizeHttpRequests and requestMatchers.

Spring Boot

import org.springframework.context.annotation.Bean;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.web.SecurityFilterChain;

public class SecurityConfig {
    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        // Allow public access to "/"
        // Your code here
        return null;
    }
}

Need a hint?

Use http.authorizeHttpRequests(auth -> auth.requestMatchers("/").permitAll()) to allow public access to the home page.

Require authentication for other requests and enable form login

Extend the http configuration to require authentication for any request other than "/" by adding anyRequest().authenticated(). Also enable form login by calling formLogin().

Spring Boot

import org.springframework.context.annotation.Bean;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.web.SecurityFilterChain;

public class SecurityConfig {
    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        // Require authentication for other requests and enable form login
        // Your code here
        return null;
    }
}

Need a hint?

Chain .anyRequest().authenticated() and .formLogin() after permitting "/".

Return the built SecurityFilterChain

Complete the securityFilterChain method by returning the built SecurityFilterChain from http.build().

Spring Boot

import org.springframework.context.annotation.Bean;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.web.SecurityFilterChain;

public class SecurityConfig {
    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        http.authorizeHttpRequests(auth -> auth
            .requestMatchers("/").permitAll()
            .anyRequest().authenticated()
        ).formLogin();
        // Return the built SecurityFilterChain
        // Your code here
    }
}

Need a hint?

Use return http.build(); to return the configured SecurityFilterChain.