No Bean Named ‘springSecurityFilterChain’ is Defined

1. The Problem

This article discusses a Spring Security configuration problem – the application bootstrapping process throwing the following exception:

SEVERE: Exception starting filter springSecurityFilterChain
org.springframework.beans.factory.NoSuchBeanDefinitionException:
No bean named 'springSecurityFilterChain' is defined

Further reading:

Introduction to Java Config for Spring Security

A quick and practical guide to Java Config for Spring Security

Read more

Spring Security 5 – OAuth2 Login

Learn how to authenticate users with Facebook, Google or other credentials using OAuth2 in Spring Security 5.

Read more

Servlet 3 Async Support with Spring MVC and Spring Security

Quick intro to the Spring Security support for async requests in Spring MVC.

Read more

2. The Cause

The cause of this exception is straightforward – Spring Security looks for a bean named springSecurityFilterChain (by default), and cannot find it. This bean is required by the main Spring Security Filter – the DelegatingFilterProxy – defined in the web.xml:

<filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

This is just a proxy that delegates all its logic to the springSecurityFilterChain bean.

3. The Solution

The most common reason this bean is missing from the context is that the security XML configuration has no <http> element defined:

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xmlns:beans="http://www.springframework.org/schema/beans"
  xmlns:sec="http://www.springframework.org/schema/security"
  xsi:schemaLocation="
    http://www.springframework.org/schema/security
    http://www.springframework.org/schema/security/spring-security-3.1.xsd
    http://www.springframework.org/schema/beans
    http://www.springframework.org/schema/beans/spring-beans-3.2.xsd">

</beans:beans>

If the XML configuration is using the security namespace – as the example above, then declaring a simple <http> element will ensure that the filter bean is created and everything starts up correctly:

<http auto-config='true'>
    <intercept-url pattern="/**" access="ROLE_USER" />
</http>

Another possible reason is that the security configuration is not imported at all into the overall context of the web application.

If the security XML config file is named springSecurityConfig.xml, make sure the resource is imported:

@ImportResource({"classpath:springSecurityConfig.xml"})

Or in XML:

<import resource="classpath:springSecurityConfig.xml" />

Finally, the default name of the filter bean can be changed in the web.xml – usually to use an existing Filter with Spring Security:

<filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>
      org.springframework.web.filter.DelegatingFilterProxy
    </filter-class>
    <init-param>
        <param-name>targetBeanName</param-name>
        <param-value>customFilter</param-value>
    </init-param>
</filter>

4. Conclusion

This article discusses a very specific Spring Security problem – the missing filter chain bean – and shows the solutions to this common issue.

Leave a Reply

Your email address will not be published. Required fields are marked *