boudhayan-dev/SecurityFilterChain.java

## SecurityFilterChain.java
// STEP 1 : Instatiation of the FilterChainProxy Bean
@Bean(name = AbstractSecurityWebApplicationInitializer.DEFAULT_FILTER_NAME)
public Filter springSecurityFilterChain() throws Exception {
  boolean hasConfigurers = this.webSecurityConfigurers != null && !this.webSecurityConfigurers.isEmpty();
  boolean hasFilterChain = !this.securityFilterChains.isEmpty();
  Assert.state(!(hasConfigurers && hasFilterChain),
      "Found WebSecurityConfigurerAdapter as well as SecurityFilterChain. Please select just one.");
  if (!hasConfigurers && !hasFilterChain) {
    WebSecurityConfigurerAdapter adapter = this.objectObjectPostProcessor
        .postProcess(new WebSecurityConfigurerAdapter() {
        });
    this.webSecurity.apply(adapter);
  }
  for (SecurityFilterChain securityFilterChain : this.securityFilterChains) {
    this.webSecurity.addSecurityFilterChainBuilder(() -> securityFilterChain);
    for (Filter filter : securityFilterChain.getFilters()) {
      if (filter instanceof FilterSecurityInterceptor) {
        this.webSecurity.securityInterceptor((FilterSecurityInterceptor) filter);
        break;
      }
    }
  }
  for (WebSecurityCustomizer customizer : this.webSecurityCustomizers) {
    customizer.customize(this.webSecurity);
  }
  return this.webSecurity.build();
}

// STEP 2 : websecurity.build() will invoke the configuration of HttpSecurity instances and their parent WebSecurity Instance
// The build process of both these config classes are shown below as shown below.

// HttpSecurity instance build -> creates a DefaultSecurityFilterChain with the requestMatcher that
// we configure while extending the WebSecurityConfigurerAdapter class.
@Override
protected DefaultSecurityFilterChain performBuild() {
  this.filters.sort(this.comparator);
  return new DefaultSecurityFilterChain(this.requestMatcher, this.filters);
}

// WebsSecurity instance build -> Fetches the list of SecurityFilterChains available (created by above step)
// and adds them to the FilterChainProxy Bean.
@Override
protected Filter performBuild() throws Exception {
  Assert.state(!this.securityFilterChainBuilders.isEmpty(),
      () -> "At least one SecurityBuilder<? extends SecurityFilterChain> needs to be specified. "
          + "Typically this is done by exposing a SecurityFilterChain bean "
          + "or by adding a @Configuration that extends WebSecurityConfigurerAdapter. "
          + "More advanced users can invoke " + WebSecurity.class.getSimpleName()
          + ".addSecurityFilterChainBuilder directly");
  int chainSize = this.ignoredRequests.size() + this.securityFilterChainBuilders.size();
  List<SecurityFilterChain> securityFilterChains = new ArrayList<>(chainSize);
  for (RequestMatcher ignoredRequest : this.ignoredRequests) {
    securityFilterChains.add(new DefaultSecurityFilterChain(ignoredRequest));
  }
  for (SecurityBuilder<? extends SecurityFilterChain> securityFilterChainBuilder : this.securityFilterChainBuilders) {
    securityFilterChains.add(securityFilterChainBuilder.build());
  }
  FilterChainProxy filterChainProxy = new FilterChainProxy(securityFilterChains);
  if (this.httpFirewall != null) {
    filterChainProxy.setFirewall(this.httpFirewall);
  }
  if (this.requestRejectedHandler != null) {
    filterChainProxy.setRequestRejectedHandler(this.requestRejectedHandler);
  }
  filterChainProxy.afterPropertiesSet();

  Filter result = filterChainProxy;
  if (this.debugEnabled) {
    this.logger.warn("\n\n" + "********************************************************************\n"
        + "**********        Security debugging is enabled.       *************\n"
        + "**********    This may include sensitive information.  *************\n"
        + "**********      Do not use in a production system!     *************\n"
        + "********************************************************************\n\n");
    result = new DebugFilter(filterChainProxy);
  }
  this.postBuildAction.run();
  return result;
}
	// STEP 1 : Instatiation of the FilterChainProxy Bean
	@Bean(name = AbstractSecurityWebApplicationInitializer.DEFAULT_FILTER_NAME)
	public Filter springSecurityFilterChain() throws Exception {
	boolean hasConfigurers = this.webSecurityConfigurers != null && !this.webSecurityConfigurers.isEmpty();
	boolean hasFilterChain = !this.securityFilterChains.isEmpty();
	Assert.state(!(hasConfigurers && hasFilterChain),
	"Found WebSecurityConfigurerAdapter as well as SecurityFilterChain. Please select just one.");
	if (!hasConfigurers && !hasFilterChain) {
	WebSecurityConfigurerAdapter adapter = this.objectObjectPostProcessor
	.postProcess(new WebSecurityConfigurerAdapter() {
	});
	this.webSecurity.apply(adapter);
	}
	for (SecurityFilterChain securityFilterChain : this.securityFilterChains) {
	this.webSecurity.addSecurityFilterChainBuilder(() -> securityFilterChain);
	for (Filter filter : securityFilterChain.getFilters()) {
	if (filter instanceof FilterSecurityInterceptor) {
	this.webSecurity.securityInterceptor((FilterSecurityInterceptor) filter);
	break;
	}
	}
	}
	for (WebSecurityCustomizer customizer : this.webSecurityCustomizers) {
	customizer.customize(this.webSecurity);
	}
	return this.webSecurity.build();
	}

	// STEP 2 : websecurity.build() will invoke the configuration of HttpSecurity instances and their parent WebSecurity Instance
	// The build process of both these config classes are shown below as shown below.

	// HttpSecurity instance build -> creates a DefaultSecurityFilterChain with the requestMatcher that
	// we configure while extending the WebSecurityConfigurerAdapter class.
	@Override
	protected DefaultSecurityFilterChain performBuild() {
	this.filters.sort(this.comparator);
	return new DefaultSecurityFilterChain(this.requestMatcher, this.filters);
	}

	// WebsSecurity instance build -> Fetches the list of SecurityFilterChains available (created by above step)
	// and adds them to the FilterChainProxy Bean.
	@Override
	protected Filter performBuild() throws Exception {
	Assert.state(!this.securityFilterChainBuilders.isEmpty(),
	() -> "At least one SecurityBuilder<? extends SecurityFilterChain> needs to be specified. "
	+ "Typically this is done by exposing a SecurityFilterChain bean "
	+ "or by adding a @Configuration that extends WebSecurityConfigurerAdapter. "
	+ "More advanced users can invoke " + WebSecurity.class.getSimpleName()
	+ ".addSecurityFilterChainBuilder directly");
	int chainSize = this.ignoredRequests.size() + this.securityFilterChainBuilders.size();
	List<SecurityFilterChain> securityFilterChains = new ArrayList<>(chainSize);
	for (RequestMatcher ignoredRequest : this.ignoredRequests) {
	securityFilterChains.add(new DefaultSecurityFilterChain(ignoredRequest));
	}
	for (SecurityBuilder<? extends SecurityFilterChain> securityFilterChainBuilder : this.securityFilterChainBuilders) {
	securityFilterChains.add(securityFilterChainBuilder.build());
	}
	FilterChainProxy filterChainProxy = new FilterChainProxy(securityFilterChains);
	if (this.httpFirewall != null) {
	filterChainProxy.setFirewall(this.httpFirewall);
	}
	if (this.requestRejectedHandler != null) {
	filterChainProxy.setRequestRejectedHandler(this.requestRejectedHandler);
	}
	filterChainProxy.afterPropertiesSet();

	Filter result = filterChainProxy;
	if (this.debugEnabled) {
	this.logger.warn("\n\n" + "********************************************************************\n"
	+ "******** Security debugging is enabled. ***********\n"
	+ "******** This may include sensitive information. ***********\n"
	+ "******** Do not use in a production system! ***********\n"
	+ "********************************************************************\n\n");
	result = new DebugFilter(filterChainProxy);
	}
	this.postBuildAction.run();
	return result;
	}