The order that filters are defined in web.xml
is very important. Irrespective of which filters you are actually using, the order of the <filter-mapping>
s should be as follows:
ChannelProcessingFilter
, because it might need to redirect to a different protocolConcurrentSessionFilter
, because it doesn't use anySecurityContextHolder
functionality but needs to update theSessionRegistry
to reflect ongoing requests from the principalHttpSessionContextIntegrationFilter
, so aSecurityContext
can be setup in theSecurityContextHolder
at the beginning of a web request, and any changes to theSecurityContext
can be copied to theHttpSession
when the web request ends (ready for use with the next web request)Authentication processing mechanisms -
AuthenticationProcessingFilter
,CasProcessingFilter
,BasicProcessingFilter, HttpRequestIntegrationFilter, JbossIntegrationFilter
etc - so that theSecurityContextHolder
can be modified to contain a validAuthentication
request tokenThe
SecurityContextHolderAwareRequestFilter
, if you are using it to install an Acegi Security awareHttpServletRequestWrapper
into your servlet containerRememberMeProcessingFilter
, so that if no earlier authentication processing mechanism updated theSecurityContextHolder
, and the request presents a cookie that enables remember-me services to take place, a suitable remembered
object will be put thereAuthentication
AnonymousProcessingFilter
, so that if no earlier authentication processing mechanism updated theSecurityContextHolder
, an anonymousAuthentication
object will be put thereExceptionTranslationFilter
, to catch any Acegi Security exceptions so that either an HTTP error response can be returned or an appropriateAuthenticationEntryPoint
can be launchedFilterSecurityInterceptor
, to protect web URIs
All of the above filters use FilterToBeanProxy
or FilterChainProxy
. It is recommended that a single FilterToBeanProxy
proxy through to a single FilterChainProxy
for each application, with that FilterChainProxy
defining all of Acegi Security Filter
s.
If you're using SiteMesh, ensure Acegi Security filters execute before the SiteMesh filters are called. This enables the SecurityContextHolder
to be populated in time for use by SiteMesh decorators