Typical Stateless JWT Filter Chain

1. SecurityContextPersistenceFilter
   • Normally restores the SecurityContext from the session, but for stateless JWT, it skips session management as no session is stored.
2. CorsFilter
   • Handles Cross-Origin Resource Sharing (CORS) rules to allow or block requests from specific origins.
3. CsrfFilter
   • Protects against Cross-Site Request Forgery attacks. Often disabled in stateless setups.
4. BearerTokenAuthenticationFilter
   • Extracts the JWT from the Authorization header, validates it, and sets the Authentication object in the SecurityContext.
5. ExceptionTranslationFilter
   • Translates authentication or authorization exceptions (e.g., invalid JWT) into HTTP responses (e.g., 401 Unauthorized, 403 Forbidden).
6. FilterSecurityInterceptor
   • Enforces access control rules based on roles or authorities (defined in your SecurityFilterChain).

A request arrives through the service to the application. The FilterChain is the logic that intercepts this request, and first performs a chain of security checks before the request can approach the endpoints.