Overview and Need for DelegatingFilterProxy in Spring

1. Overview

The DelegatingFilterProxy is a servlet filter that allows passing control to Filter classes that have access to the Spring application context. Spring Security relies on this technique heavily.

In this tutorial, we’ll cover it in detail.

2. DelegatingFilterProxy

The Javadoc for DelegatingFilterProxy states that it’s a

Proxy for a standard Servlet Filter, delegating to a Spring-managed bean that implements the Filter interface.

When using servlet filters, we obviously need to declare them as a filter-class in our Java-config or web.xml, otherwise, the servlet container will ignore them. Spring’s DelegatingFilterProxy provides the link between web.xml and the application context.

2.1. Internal Working of DelegatingFilterProxy

Let’s have a look at how DelegatingFilterProxy transfers control to our Spring bean.

During initialization, DelegatingFilterProxy fetches the filter-name and retrieves the bean with that name from Spring Application Context. This bean must be of Type jakarta.Servlet.Filter, i.e. a “normal” servlet filter. Incoming requests will then be passed to this filter bean.

In short, DelegatingFilterProxy’s doFilter() method will delegate all calls to a Spring bean, enabling us to use all Spring features within our filter bean.

If we’re using Java-based configuration, our filter registration in ApplicationInitializer will be defined as:

@Override
protected Filter[] getServletFilters() {
    DelegatingFilterProxy delegateFilterProxy = new DelegatingFilterProxy();
    delegateFilterProxy.setTargetBeanName("applicationFilter");
    return new Filter[]{delegateFilterProxy};
}

If we use XML, then, in the web.xml file:

<filter>
    <filter-name>applicationFilter</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>

This means that any request can be made to pass through the filter defined as Spring bean with the name applicationFilter.

2.2. Need for DelegatingFilterProxy

DelegatingFilterProxy is a class in Spring’s Web module. It provides features for making HTTP calls pass through filters before reaching the actual destination. With the help of DelegatingFilterProxy, a class implementing the jakarta.Servlet.Filter interface can be wired into the filter chain.

As an example, Spring Security makes use of DelegatingFilterProxy to so it can take advantage of Spring’s dependency injection features and lifecycle interfaces for security filters.

DelegatingFilterProxy also leverages invoking specific or multiple filters as per Request URI paths by providing the configuration in Spring’s application context or in web.xml.

3. Creating a Custom Filter

As described above, DelegatingFilterProxy is a servlet filter itself which delegates to a specific Spring-managed bean that implements the Filter Interface.

In the next few sections, we’ll create a custom filter and configure it using Java & XML-based configuration.

3.1. Filter Class

We’re going to create a simple filter that logs request information before the request proceeds further.

Let’s first create a custom filter class:

@Component("loggingFilter")
public class CustomFilter implements Filter {

    private static Logger LOGGER = LoggerFactory.getLogger(CustomFilter.class);

    @Override
    public void init(FilterConfig config) throws ServletException {
        // initialize something
    }

    @Override
    public void doFilter(
      ServletRequest request, ServletResponse response, 
      FilterChain chain) throws IOException, ServletException {
 
        HttpServletRequest req = (HttpServletRequest) request;
        LOGGER.info("Request Info : " + req);
        chain.doFilter(request, response);
    }

    @Override
    public void destroy() {
        // cleanup code, if necessary
    }
}

CustomFilter implements jakarta.Servlet.Filter. This class has a @Component annotation to register as Spring bean in the application context. This way, the DelegatingFilterProxy class can find our filter class while initializing the filter chain.

Note that the name of the Spring bean must be the same as the value in the filter-name provided during the registration of the custom filter in ApplicationInitializer class or in web.xml later because the DelegatingFilterProxy class will look for the filter bean with the exact same name in the application context.

If it can’t find a bean with this name, it will raise an exception at application startup.

3.2. Configuring the Filter via Java Configuration

To register a custom filter using Java configuration, we need to override the getServletFilters() method of AbstractAnnotationConfigDispatcherServletInitializer:

public class ApplicationInitializer 
  extends AbstractAnnotationConfigDispatcherServletInitializer {
    // some other methods here
 
    @Override
    protected Filter[] getServletFilters() {
        DelegatingFilterProxy delegateFilterProxy = new DelegatingFilterProxy();
        delegateFilterProxy.setTargetBeanName("loggingFilter");
        return new Filter[]{delegateFilterProxy};
    }
}

3.3. Configuring the Filter via web.xml 

Let’s see how the filter configuration in web.xml looks like:

<filter>
    <filter-name>loggingFilter</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
    <filter-name>loggingFilter</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

The filter-class argument is of type DelegatingFilterProxy and not the filter class we created. If we run this code and hit any URL, then doFilter() method of the CustomFilter will get executed and display the request info details in the log file.

4. Conclusion

In this article, we’ve covered how DelegatingFilterProxy works and how to use it.

Spring Security make extensive use of DelegatingFilterProxy for securing the web API calls and resources from unauthorized access.