The Big Idea
Discover how one simple configuration can protect your entire app effortlessly!
0Why SecurityFilterChain configuration in Spring Boot? - Purpose & Use Cases
Start learning this pattern below
Jump into concepts and practice - no test required
or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
The Scenario
Imagine manually checking every web request in your app to decide who can see what, writing lots of if-else code everywhere.
The Problem
Manually handling security is error-prone, hard to maintain, and easy to miss important checks, leaving your app vulnerable.
The Solution
SecurityFilterChain lets you define clear, reusable rules for request security in one place, so your app stays safe and your code stays clean.
Before vs After
✗ Before
if (user.isAdmin()) { allowAccess(); } else { denyAccess(); } // repeated everywhere
✓ After
http.authorizeHttpRequests(auth -> auth.anyRequest().authenticated()).build();
What It Enables
You can easily control who accesses what in your app with simple, centralized security rules.
Real Life Example
Protecting admin pages so only logged-in admins can see them, while letting everyone else browse public pages freely.
Key Takeaways
Manual security checks are messy and risky.
SecurityFilterChain centralizes and simplifies security rules.
This keeps your app safer and your code easier to manage.
Practice
1. What is the primary purpose of a
SecurityFilterChain in Spring Boot?easy
Solution
Step 1: Understand the role of SecurityFilterChain
The SecurityFilterChain is used in Spring Security to define how HTTP requests are secured, including which URLs require authentication and what roles can access them.Step 2: Compare with other options
Database connections, logging, and file uploads are unrelated to SecurityFilterChain's purpose.Final Answer:
To define security rules for web requests and control access -> Option BQuick Check:
SecurityFilterChain controls web security = D [OK]
Hint: SecurityFilterChain controls web request security rules [OK]
Common Mistakes:
- Confusing SecurityFilterChain with database or logging config
- Thinking it manages file uploads
- Assuming it handles application-wide settings
2. Which of the following is the correct way to declare a
SecurityFilterChain bean in Spring Boot?easy
Solution
Step 1: Identify correct bean declaration syntax
In Spring Boot, a SecurityFilterChain bean must be annotated with @Bean, accept HttpSecurity as a parameter, and return the built chain withhttp.build().Step 2: Check each option
@Bean public SecurityFilterChain filterChain(HttpSecurity http) throws Exception { return http.build(); } correctly uses @Bean, returns SecurityFilterChain, and callshttp.build(). Options B and D have wrong return types or missing annotations. @Component public void filterChain(HttpSecurity http) { http.build(); } uses @Component and void return, which is incorrect.Final Answer:
@Bean public SecurityFilterChain filterChain(HttpSecurity http) throws Exception { return http.build(); } -> Option DQuick Check:
Correct bean method signature = C [OK]
Hint: Bean method must return SecurityFilterChain and use @Bean [OK]
Common Mistakes:
- Forgetting @Bean annotation
- Using void return type
- Not passing HttpSecurity parameter
3. Given this SecurityFilterChain configuration snippet, what will happen when a user accesses
/admin URL?@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http.authorizeHttpRequests(auth -> auth
.requestMatchers("/admin").hasRole("ADMIN")
.anyRequest().authenticated()
).formLogin();
return http.build();
}medium
Solution
Step 1: Analyze the authorization rules
The config states that requests to "/admin" require the user to have role "ADMIN". All other requests require authentication but no specific role.Step 2: Understand formLogin and access control
Form login is enabled, so users must log in. Only users with ADMIN role can access /admin; others will be blocked or redirected to login.Final Answer:
Only users with role ADMIN can access /admin; others must log in -> Option CQuick Check:
/admin requires ADMIN role = A [OK]
Hint: Check requestMatchers roles and formLogin presence [OK]
Common Mistakes:
- Assuming /admin is open to all
- Ignoring role restrictions
- Thinking formLogin disables security
4. Identify the error in this SecurityFilterChain configuration:
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) {
http.authorizeHttpRequests(auth -> auth
.requestMatchers("/user").authenticated()
.anyRequest().permitAll()
);
return http.build();
}medium
Solution
Step 1: Check method signature for exceptions
Thehttp.build()method can throw a checked exception, so the method should declarethrows Exception.Step 2: Verify return statement and method correctness
The method returnshttp.build()correctly. The order ofauthenticated()andpermitAll()is valid. So the only issue is missing exception declaration.Final Answer:
Missing throws Exception in method signature -> Option AQuick Check:
http.build() may throw Exception = B [OK]
Hint: Add throws Exception when calling http.build() [OK]
Common Mistakes:
- Omitting throws Exception causes compile error
- Misunderstanding order of permitAll and authenticated
- Forgetting to return http.build()
5. You want to configure a SecurityFilterChain that allows anonymous access to
/public/**, requires authentication for /user/**, and restricts /admin/** to users with role ADMIN, and denies access to all other requests. Which configuration snippet correctly implements this?hard
Solution
Step 1: Match access rules to URL patterns
The requirement is: /public/** open to all (permitAll), /user/** requires authentication, /admin/** requires ADMIN role, and all others denied.Step 2: Check each option's order and rules
@Bean public SecurityFilterChain filterChain(HttpSecurity http) throws Exception { http.authorizeHttpRequests(auth -> auth .requestMatchers("/public/**").permitAll() .requestMatchers("/user/**").authenticated() .requestMatchers("/admin/**").hasRole("ADMIN") .anyRequest().denyAll() ).formLogin(); return http.build(); } matches the requirements exactly. @Bean public SecurityFilterChain filterChain(HttpSecurity http) throws Exception { http.authorizeHttpRequests(auth -> auth .requestMatchers("/admin/**").hasRole("ADMIN") .requestMatchers("/user/**").authenticated() .requestMatchers("/public/**").permitAll() .anyRequest().authenticated() ).formLogin(); return http.build(); } allows anyRequest authenticated (not denyAll). @Bean public SecurityFilterChain filterChain(HttpSecurity http) throws Exception { http.authorizeHttpRequests(auth -> auth .requestMatchers("/public/**").authenticated() .requestMatchers("/user/**").permitAll() .requestMatchers("/admin/**").hasRole("ADMIN") .anyRequest().denyAll() ).formLogin(); return http.build(); } swaps permitAll and authenticated for /public and /user incorrectly. @Bean public SecurityFilterChain filterChain(HttpSecurity http) throws Exception { http.authorizeHttpRequests(auth -> auth .requestMatchers("/public/**").permitAll() .requestMatchers("/user/**").permitAll() .requestMatchers("/admin/**").authenticated() .anyRequest().denyAll() ).formLogin(); return http.build(); } permits /user/** to all and only authenticates /admin/**, which is wrong.Final Answer:
@Bean public SecurityFilterChain filterChain(HttpSecurity http) throws Exception { http.authorizeHttpRequests(auth -> auth .requestMatchers("/public/**").permitAll() .requestMatchers("/user/**").authenticated() .requestMatchers("/admin/**").hasRole("ADMIN") .anyRequest().denyAll() ).formLogin(); return http.build(); } -> Option AQuick Check:
Correct URL access rules = A [OK]
Hint: Match URL patterns to correct access methods in order [OK]
Common Mistakes:
- Mixing permitAll and authenticated for URLs
- Forgetting to restrict admin URLs by role
- Using anyRequest().authenticated() instead of denyAll()