Bird
Raised Fist0
Spring Bootframework~5 mins

SecurityFilterChain configuration in Spring Boot - Cheat Sheet & Quick Revision

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallPerf

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Recall & Review
beginner
What is the purpose of a SecurityFilterChain in Spring Boot?
A SecurityFilterChain defines the order and rules for security filters that process HTTP requests. It controls how requests are authenticated and authorized before reaching the application.
Click to reveal answer
beginner
How do you create a SecurityFilterChain bean in Spring Boot?
You create a SecurityFilterChain bean by defining a method annotated with @Bean that returns a SecurityFilterChain object, usually built using HttpSecurity to configure security rules.
Click to reveal answer
intermediate
What does the method http.authorizeHttpRequests() configure in SecurityFilterChain?
It configures which HTTP requests require authentication or specific roles and which are allowed without authentication.
Click to reveal answer
intermediate
Why is the order of filters important in a SecurityFilterChain?
The order determines how requests are processed. Filters earlier in the chain can block or modify requests before later filters see them, affecting security behavior.
Click to reveal answer
intermediate
What is the role of http.csrf().disable() in SecurityFilterChain configuration?
It disables Cross-Site Request Forgery protection, which might be needed for APIs or non-browser clients but should be used carefully to avoid security risks.
Click to reveal answer
Which annotation is used to define a SecurityFilterChain bean in Spring Boot?
A@Component
B@Controller
C@Service
D@Bean
What does http.authorizeHttpRequests().anyRequest().authenticated() do?
AAllows all requests without authentication
BBlocks all requests
CRequires authentication for every request
DOnly allows GET requests
Why might you disable CSRF protection in SecurityFilterChain?
ATo improve performance
BFor APIs that do not use cookies
CTo allow all users access
DTo enable HTTPS
What is the effect of filter order in SecurityFilterChain?
AFilters run in the order defined, affecting request processing
BNo effect, filters run in parallel
CFilters run randomly
DFilters only run if previous filters fail
Which method is used to start configuring HTTP security in SecurityFilterChain?
Ahttp.authorizeHttpRequests()
Bhttp.configure()
Chttp.build()
Dhttp.start()
Explain how to configure a SecurityFilterChain bean to require authentication for all requests except for a public home page.
Think about using permitAll() for the home page and authenticated() for others.
You got /5 concepts.
    Describe why filter order matters in SecurityFilterChain and give an example of a filter that should run early.
    Consider what happens if authentication runs after authorization.
    You got /4 concepts.

      Practice

      (1/5)
      1. What is the primary purpose of a SecurityFilterChain in Spring Boot?
      easy
      A. To handle file uploads
      B. To define security rules for web requests and control access
      C. To manage application logging levels
      D. To configure database connections

      Solution

      1. Step 1: Understand the role of SecurityFilterChain

        The SecurityFilterChain is used in Spring Security to define how HTTP requests are secured, including which URLs require authentication and what roles can access them.

      2. Step 2: Compare with other options

        Database connections, logging, and file uploads are unrelated to SecurityFilterChain's purpose.

      3. Final Answer:

        To define security rules for web requests and control access -> Option B

      4. Quick Check:

        SecurityFilterChain controls web security = D [OK]
      Hint: SecurityFilterChain controls web request security rules [OK]
      Common Mistakes:
      • Confusing SecurityFilterChain with database or logging config
      • Thinking it manages file uploads
      • Assuming it handles application-wide settings
      2. Which of the following is the correct way to declare a SecurityFilterChain bean in Spring Boot?
      easy
      A. @Component public void filterChain(HttpSecurity http) { http.build(); }
      B. public SecurityFilterChain filterChain() { return new SecurityFilterChain(); }
      C. @Bean public void filterChain() { return http.build(); }
      D. @Bean public SecurityFilterChain filterChain(HttpSecurity http) throws Exception { return http.build(); }

      Solution

      1. Step 1: Identify correct bean declaration syntax

        In Spring Boot, a SecurityFilterChain bean must be annotated with @Bean, accept HttpSecurity as a parameter, and return the built chain with http.build().

      2. Step 2: Check each option

        @Bean public SecurityFilterChain filterChain(HttpSecurity http) throws Exception { return http.build(); } correctly uses @Bean, returns SecurityFilterChain, and calls http.build(). Options B and D have wrong return types or missing annotations. @Component public void filterChain(HttpSecurity http) { http.build(); } uses @Component and void return, which is incorrect.

      3. Final Answer:

        @Bean public SecurityFilterChain filterChain(HttpSecurity http) throws Exception { return http.build(); } -> Option D

      4. Quick Check:

        Correct bean method signature = C [OK]
      Hint: Bean method must return SecurityFilterChain and use @Bean [OK]
      Common Mistakes:
      • Forgetting @Bean annotation
      • Using void return type
      • Not passing HttpSecurity parameter
      3. Given this SecurityFilterChain configuration snippet, what will happen when a user accesses /admin URL?
      @Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
  http.authorizeHttpRequests(auth -> auth
    .requestMatchers("/admin").hasRole("ADMIN")
    .anyRequest().authenticated()
  ).formLogin();
  return http.build();
}
      medium
      A. All URLs are open without authentication
      B. Anyone can access /admin without login
      C. Only users with role ADMIN can access /admin; others must log in
      D. Access to /admin is denied to everyone

      Solution

      1. Step 1: Analyze the authorization rules

        The config states that requests to "/admin" require the user to have role "ADMIN". All other requests require authentication but no specific role.

      2. Step 2: Understand formLogin and access control

        Form login is enabled, so users must log in. Only users with ADMIN role can access /admin; others will be blocked or redirected to login.

      3. Final Answer:

        Only users with role ADMIN can access /admin; others must log in -> Option C

      4. Quick Check:

        /admin requires ADMIN role = A [OK]
      Hint: Check requestMatchers roles and formLogin presence [OK]
      Common Mistakes:
      • Assuming /admin is open to all
      • Ignoring role restrictions
      • Thinking formLogin disables security
      4. Identify the error in this SecurityFilterChain configuration:
      @Bean
public SecurityFilterChain filterChain(HttpSecurity http) {
  http.authorizeHttpRequests(auth -> auth
    .requestMatchers("/user").authenticated()
    .anyRequest().permitAll()
  );
  return http.build();
}
      medium
      A. Missing throws Exception in method signature
      B. Calling http.build() without returning it
      C. No error, configuration is correct
      D. Using permitAll() before authenticated() causes error

      Solution

      1. Step 1: Check method signature for exceptions

        The http.build() method can throw a checked exception, so the method should declare throws Exception.

      2. Step 2: Verify return statement and method correctness

        The method returns http.build() correctly. The order of authenticated() and permitAll() is valid. So the only issue is missing exception declaration.

      3. Final Answer:

        Missing throws Exception in method signature -> Option A

      4. Quick Check:

        http.build() may throw Exception = B [OK]
      Hint: Add throws Exception when calling http.build() [OK]
      Common Mistakes:
      • Omitting throws Exception causes compile error
      • Misunderstanding order of permitAll and authenticated
      • Forgetting to return http.build()
      5. You want to configure a SecurityFilterChain that allows anonymous access to /public/**, requires authentication for /user/**, and restricts /admin/** to users with role ADMIN, and denies access to all other requests. Which configuration snippet correctly implements this?
      hard
      A. @Bean public SecurityFilterChain filterChain(HttpSecurity http) throws Exception { http.authorizeHttpRequests(auth -> auth .requestMatchers("/public/**").permitAll() .requestMatchers("/user/**").authenticated() .requestMatchers("/admin/**").hasRole("ADMIN") .anyRequest().denyAll() ).formLogin(); return http.build(); }
      B. @Bean public SecurityFilterChain filterChain(HttpSecurity http) throws Exception { http.authorizeHttpRequests(auth -> auth .requestMatchers("/admin/**").hasRole("ADMIN") .requestMatchers("/user/**").authenticated() .requestMatchers("/public/**").permitAll() .anyRequest().authenticated() ).formLogin(); return http.build(); }
      C. @Bean public SecurityFilterChain filterChain(HttpSecurity http) throws Exception { http.authorizeHttpRequests(auth -> auth .requestMatchers("/public/**").authenticated() .requestMatchers("/user/**").permitAll() .requestMatchers("/admin/**").hasRole("ADMIN") .anyRequest().denyAll() ).formLogin(); return http.build(); }
      D. @Bean public SecurityFilterChain filterChain(HttpSecurity http) throws Exception { http.authorizeHttpRequests(auth -> auth .requestMatchers("/public/**").permitAll() .requestMatchers("/user/**").permitAll() .requestMatchers("/admin/**").authenticated() .anyRequest().denyAll() ).formLogin(); return http.build(); }

      Solution

      1. Step 1: Match access rules to URL patterns

        The requirement is: /public/** open to all (permitAll), /user/** requires authentication, /admin/** requires ADMIN role, and all others denied.

      2. Step 2: Check each option's order and rules

        @Bean public SecurityFilterChain filterChain(HttpSecurity http) throws Exception { http.authorizeHttpRequests(auth -> auth .requestMatchers("/public/**").permitAll() .requestMatchers("/user/**").authenticated() .requestMatchers("/admin/**").hasRole("ADMIN") .anyRequest().denyAll() ).formLogin(); return http.build(); } matches the requirements exactly. @Bean public SecurityFilterChain filterChain(HttpSecurity http) throws Exception { http.authorizeHttpRequests(auth -> auth .requestMatchers("/admin/**").hasRole("ADMIN") .requestMatchers("/user/**").authenticated() .requestMatchers("/public/**").permitAll() .anyRequest().authenticated() ).formLogin(); return http.build(); } allows anyRequest authenticated (not denyAll). @Bean public SecurityFilterChain filterChain(HttpSecurity http) throws Exception { http.authorizeHttpRequests(auth -> auth .requestMatchers("/public/**").authenticated() .requestMatchers("/user/**").permitAll() .requestMatchers("/admin/**").hasRole("ADMIN") .anyRequest().denyAll() ).formLogin(); return http.build(); } swaps permitAll and authenticated for /public and /user incorrectly. @Bean public SecurityFilterChain filterChain(HttpSecurity http) throws Exception { http.authorizeHttpRequests(auth -> auth .requestMatchers("/public/**").permitAll() .requestMatchers("/user/**").permitAll() .requestMatchers("/admin/**").authenticated() .anyRequest().denyAll() ).formLogin(); return http.build(); } permits /user/** to all and only authenticates /admin/**, which is wrong.

      3. Final Answer:

        @Bean public SecurityFilterChain filterChain(HttpSecurity http) throws Exception { http.authorizeHttpRequests(auth -> auth .requestMatchers("/public/**").permitAll() .requestMatchers("/user/**").authenticated() .requestMatchers("/admin/**").hasRole("ADMIN") .anyRequest().denyAll() ).formLogin(); return http.build(); } -> Option A

      4. Quick Check:

        Correct URL access rules = A [OK]
      Hint: Match URL patterns to correct access methods in order [OK]
      Common Mistakes:
      • Mixing permitAll and authenticated for URLs
      • Forgetting to restrict admin URLs by role
      • Using anyRequest().authenticated() instead of denyAll()