The Security Filter Chain

Spring Security's infrastructure is based enitrely on standard servlet filters.It doesn't use servlets or any other servlet-based frameworks(such as Spring MVC) internally,so it has no strong links to any particular web technology.It deals in HttpServletRequest and HttpServletResponse and doesn't care whether the requests come from a browser,a web service client,an HttpInvoker or an AJAX application.

Spring Security maintains a filter chain internally where each of the filters has particular responsibility and filters are added or removed from the configuration depending on which services are required.To ordering of the filters is important as there are dependencies between them.If you have been using namespace configuration ,then the filters are automatically configured for you and you don't have to define any Spring beans explicitly but here may be times when you want full control over the security filter chain,either because you are using features which aren't supported in the namespace,or you are using you own customized versions of classes.