Hello,

just some short questions. The DeligatingFilterProxy in web.xml points to the "springSecurityFilterChain", a FilterChainProxy. This "springSecurityFilterChain" is created by the namespace. The namespace contains for webapplication always those three filters (SecurityContextPersistenceFilter, ExceptionTranslationFilter, FilterSecurityInterceptor), others can be added by various elements. (form-login, usw.)

Now I read that its possible to write an individual FilterChainProxy, so that for some URLs I can define different filters. Do I declare the filters then in my spring config file? And can I still use the namespace with the "springSecurityFilterChain" for the other urls?
When I write custom filters and use them in the springSecurityFilterChain, can I also use them in my own FilterChainProxy? So that they can be used "twice"? Do I declare then multiple DeligatingFilterProxys in my web.xml?

Beside of the fact, that I might forget some filters in my own FilterChainProxy or order them incorrect or implement incorrect - is there anything which can go wrong when I use multiple FilterChainProxys?

Thank you :-)

If I were you I would leave Spring Security as it is (i.e. using the namespace). You then configure additional Filters in the web.xml. If you want to configure them using Spring, use the DelegatingFilterProxy but I would not use the FilterChainProxy. FilterChainProxy adds additional complexity that cannot be hidden using the namespace configuration as it is with the Spring Security Filters.

I will leave it, as it is, Im just interested in how it would work :-)

So you would not use an individual FilterChainProxy, but the existing one (springSecurityFilterChain). The DelegatingFilterProxy just delegates to a FilterChainProxy, correct? I know that it is possible to add individual filters to the springSecurityFilterChain. But in case I would want to use other filters for different urls, I need an individual FilterChainProxy, dont I? You said that additional Filters are configured in the web.xml, but I read this:

FilterChainProxy lets us add a single entry to web.xml and deal entirely with the application context file for managing our web security beans. It is wired using a DelegatingFilterProxy, just like in the example above, but with the filter-name set to the bean name “filterChainProxy”. The filter chain is then declared in the application context with the same bean name. Here's an example: It says, that there is one entry in the web.xml (I guess for a DelegatingFilterProxy), but the configuration, the filter chain, is in the application context file? So, again, my questions - if you dont bother, you could answer them with yes/no, so that there is no misunderstanding - that would be great! :-)

1) When I want to use different filters for some urls, I add an individual DeligatingFilterProxy to web.xml. I configure a FilterChainProxy then in my applicationContext.xml. The DelegatingFilterProxy points to it. Correct?
2) Can I still use http-namespace for the other urls?
3) So do I need then two DelegatingFilterProxys, one for springSecurityFilterChain (http-namespace) and one for my individual Filter Chain (or more, when Ive got more individual Filter Chains....)
4) Can I write custom filters and use them in the springSecurityFilterChain AND in my individual Filter Chain?

Thank you for your help :-)

maybe read this:
http://static.springsource.org/spring-security/site/docs/3.0.x/reference/security-filter-chain.html

and this:

http://static.springsource.org/spring-security/site/docs/3.0.x/reference/ns-config.html

at 2.3.5

I already read it and I personally think that the answers to my questions are:
1) correct
2) yes
3) yes
4) yes

but.. as I misunderstand things sometimes, I wanted to make sure that it is correct :-) thanks for your answer!