I would like to disable one of the Spring Security filters in security chain.
I have already saw Prevent Spring Boot from registering a servlet filter question - and accepted should work but, unfortunately is not.
With code:
@Bean
public FilterRegistrationBean registration(AnonymousAuthenticationFilter filter) {
FilterRegistrationBean registration = new FilterRegistrationBean(filter);
registration.setEnabled(false);
return registration;
}
Spring Boot will promptly announce there is no qualifying bean, which is sad:
Caused by: org.springframework.beans.factory.NoSuchBeanDefinitionException: No qualifying bean of type [org.springframework.security.web.authentication.AnonymousAuthenticationFilter] found for dependency: expected at least 1 bean which qualifies as autowire candidate for this dependency. Dependency annotations: {}
After creating another bean:
@SuppressWarnings("deprecation") // Oh, there be dragons
@Bean
public AnonymousAuthenticationFilter anonymousAuthenticationFilter() {
return new AnonymousAuthenticationFilter();
}
I am attacked with
Caused by: java.lang.IllegalArgumentException: [Assertion failed] - this String argument must have length; it must not be null or empty
Which is entirely understable; Asserts in afterPropertiesSet() method https://github.com/spring-projects/spring-security/blob/master/web/src/main/java/org/springframework/security/web/authentication/AnonymousAuthenticationFilter.java are preventing me from using default constructor. Using another approach:
@Bean
public AnonymousAuthenticationFilter anonymousAuthenticationFilter() {
// it will be disabled anyway so...
return new AnonymousAuthenticationFilter("_", new Object(), new ArrayList<GrantedAuthority>());
}
Everything is way nicer:
INFO 4916 --- [ost-startStop-1] o.s.b.c.embedded.FilterRegistrationBean : Filter anonymousAuthenticationFilter was not registered (disabled)
DEBUG 4916 --- [ost-startStop-1] o.s.security.web.FilterChainProxy : Initializing filter 'springSecurityFilterChain'
DEBUG 4916 --- [ost-startStop-1] o.s.security.web.FilterChainProxy : Filter 'springSecurityFilterChain' configured successfully
But after accessing some resource I got:
DEBUG 4916 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : /user at position 10 of 13 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
DEBUG 4916 --- [nio-8080-exec-3] o.s.s.w.a.AnonymousAuthenticationFilter : Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@90572420: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@255f8: RemoteIpAddress: 127.0.0.1; SessionId: 6B9D974A4634548750FE78C18F62A6B0; Granted Authorities: ROLE_ANONYMOUS'
For some reason AnonymousAuthenticationFilter is still working. The question: Is there a way to disable such filters in Spring Boot application?
Spring Security bundles all of the Filters within the HttpSecurity configuration. To disable anonymous authentication use the following:
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.anonymous(AbstractHttpConfigurer::disable)
...
}
...
}
If you want to disable all of the defaults within Spring Security you can pass true into the parent class constructor to disable defaults. For example:
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
public SecurityConfig() {
super(true);
}
...
}