The Nature of HttpSecurity
Spring Security 5.4 has a new way of configuring
In fact, you can know that
HttpSecurity is used to build a filter
SecurityFilterChain that contains a series of filter chains, and normally our configuration is based around building
From the above diagram, we can see that the built one has to be handed over to
FilterChainProxy to proxy, isn’t it a bit redundant?
The essence of WebSecurity
In some cases this is indeed superfluous, but more often we may need to configure multiple
SecurityFilterChains to achieve multiple access control policies.
In order to finely manage the life cycle of multiple
SecurityFilterChain, it is necessary to have a unified management agent for these
SecurityFilterChain, which is the meaning of
WebSecurity. Here is the underlying logic of the
build method of
As you can see from the source code above,
WebSecurity is used to build a Spring bean
springSecurityFilterChain. Its role is to define those requests that ignore security controls and those that must, clearing
SecurityContext when appropriate to avoid memory leaks, and also to define request firewalls and request rejection processors, plus we turn on Spring Seuciry Debug mode which is also configured here.
There is also a role that may not be mentioned in other articles,
FilterChainProxy is the only export of Spring Security to the Spring framework application, which is then combined with a Servlet in Spring’s bridge proxy
DelegatingFilterProxy. which constitutes Spring’s only export to the Servlet system. This isolates Spring Security, Spring framework and Servlet API.
We can actually consider that
WebSecurity is the only external outlet for Spring Security, while
HttpSecurity is just the way internal security policies are defined;
WebSecurity is aligned to
HttpSecurity is aligned to
SecurityFilterChain, and their parent class is
AbstractConfiguredSecurityBuilder. After mastering these basically you will know what the difference between them is.