Hello.

according to figure 12-1 on p.335, "FilterSecurityInterceptor" is the last filter to get "called" when a user requests a secured resource..in particular after "UsernamePasswordAuthenticationFilter".

However, according to fig 12.4/12.5 on p 343,
FilterSecurityInterceptor gets called (near the start, in particular) before UsernamePasswordAuthenticationFilter.

Which is correct?
Are one or both of these diagrams incorrect?

Thanks in advance for the clarification

Both diagrams are correct, and FilterSecurityInterceptor is the last in the chain. In those diagrams we try to show what is going on during authentication process, and they actually contain two different request flows. In the first request flow, user tries to access a secure resource (editor.jsp), and request flows through various Spring Security Filters in the chain, and hit at FilterSecurityInterceptor at last. FilterSecurityInterceptor raises an AccessDeniedException, which causes a login page to be rendered. In the second request flow, user submits the login form, and request again flows through the filter chain. However, this time before it reaches at the FilterSecurityInterceptor, it is processed by UsernamePasswordAuthenticationFilter and login process gets executed.

Hope this explanation made some things clearer