From: https://www.w3cschool.cn/springsecurity/4j1s1iid.html
The bottom layer of Spring Security is managed through a series of Filters . Each Filter has its own function, and each Filter is functionally related, so their order is also very important.
Filter order
Spring Security has defined some Filters , no matter which ones you use in actual application, they should be kept in the following order.
1. ChannelProcessingFilter , if the channel you access is wrong, it will jump between channels first, such as http becomes https .
2. SecurityContextPersistenceFilter , in this way , a SecurityContext can be established in the SecurityContextHolder at the beginning of the request , and then at the end of the request, any changes to the SecurityContext can be copied to the HttpSession .
3. ConcurrentSessionFilter , because it needs to use the function of SecurityContextHolder , and update the last update time of the corresponding session , and obtain the current SessionInformation through the SessionRegistry to check whether the current session has expired, and the LogoutHandler will be called when it expires .
4. Authentication processing mechanisms , such as UsernamePasswordAuthenticationFilter , CasAuthenticationFilter , BasicAuthenticationFilter , etc., so that the SecurityContextHolder can be updated to include a valid Authentication request.
5. SecurityContextHolderAwareRequestFilter , which will encapsulate HttpServletRequest into a SecurityContextHolderAwareRequestWrapper inherited from HttpServletRequestWrapper , and use SecurityContext to implement security-related methods in HttpServletRequest .
6. JaasApiIntegrationFilter , if the Authentication owned in the SecurityContextHolder is a JaasAuthenticationToken , then the Filter will continue to execute the FilterChain using the Subject contained in the JaasAuthenticationToken .
7. RememberMeAuthenticationFilter , if the previous authentication processing mechanism does not update the SecurityContextHolder , and the user request contains a cookie corresponding to Remember-Me , then a corresponding Authentication will be set to the SecurityContextHolder .
8. AnonymousAuthenticationFilter , if the previous authentication mechanism has not updated the Authentication owned by SecurityContextHolder , then an AnonymousAuthenticationToken will be set to SecurityContextHolder .
9. ExceptionTransactionFilter , used to process AccessDeniedException and AuthenticationException thrown in the scope of FilterChain , and convert them into corresponding Http error code return or corresponding page.
10. FilterSecurityInterceptor , which protects Web URIs and throws an exception when access is denied.