SpringbootHow-ToBeginner · 4 min read

How to Use SecurityFilterChain in Spring Boot for Custom Security

In Spring Boot, use SecurityFilterChain by defining a @Bean method that returns a configured SecurityFilterChain instance. This bean customizes HTTP security rules like authentication and authorization using the HttpSecurity object.

📐

Syntax

The SecurityFilterChain is defined as a Spring bean method annotated with @Bean. Inside, you configure security rules using the HttpSecurity parameter and return the built filter chain.

@Bean: Marks the method as a bean provider.
HttpSecurity: Used to configure security settings like URL access, login, and CSRF.
build(): Finalizes and returns the configured SecurityFilterChain.

java

import org.springframework.context.annotation.Bean;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.web.SecurityFilterChain;

@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
    http
        .authorizeHttpRequests(auth -> auth
            .anyRequest().authenticated()
        )
        .formLogin();
    return http.build();
}

💻

Example

This example shows a complete Spring Boot security configuration that requires authentication for all requests and enables form login.

java

package com.example.security;

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.web.SecurityFilterChain;

@Configuration
public class SecurityConfig {

    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        http
            .authorizeHttpRequests(auth -> auth
                .anyRequest().authenticated()
            )
            .formLogin();
        return http.build();
    }
}

Output

When running the Spring Boot app, all HTTP requests require login, and a default login form is shown.

⚠️

Common Pitfalls

Not annotating the configuration class with @Configuration causes the bean not to register.
Forgetting to return http.build() results in no filter chain being created.
Using deprecated methods like authorizeRequests() instead of authorizeHttpRequests() in Spring Security 6+.
Defining multiple SecurityFilterChain beans without specifying order can cause conflicts.

java

/* Wrong: Missing @Configuration and returning void */
@Bean
public void securityFilterChain(HttpSecurity http) throws Exception {
    http.authorizeHttpRequests(auth -> auth.anyRequest().authenticated());
    // Missing return statement
}

/* Right: Proper bean with return */
@Configuration
public class SecurityConfig {
    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        http.authorizeHttpRequests(auth -> auth.anyRequest().authenticated());
        return http.build();
    }
}

📊

Quick Reference

Key points to remember when using SecurityFilterChain in Spring Boot:

Define a @Bean method returning SecurityFilterChain.
Use HttpSecurity to configure security rules.
Always call http.build() to return the chain.
Annotate the class with @Configuration.
Use authorizeHttpRequests() for request authorization.

✅

Key Takeaways

Define SecurityFilterChain as a @Bean method returning http.build() to customize security.

Use HttpSecurity to set rules like authentication and form login inside the bean method.

Annotate your configuration class with @Configuration to register the bean properly.

Avoid deprecated methods and ensure only one SecurityFilterChain bean or specify order if multiple.

Always test your security setup by running the app and verifying access restrictions.