javaspringspring-securityspring-boot

Prevent Spring Boot from registering one of Spring Security filter


I would like to disable one of the Spring Security filters in security chain.

I have already saw Prevent Spring Boot from registering a servlet filter question - and accepted should work but, unfortunately is not.

With code:

    @Bean
    public FilterRegistrationBean registration(AnonymousAuthenticationFilter filter) {
        FilterRegistrationBean registration = new FilterRegistrationBean(filter);
        registration.setEnabled(false);
        return registration;
    }

Spring Boot will promptly announce there is no qualifying bean, which is sad:

Caused by: org.springframework.beans.factory.NoSuchBeanDefinitionException: No qualifying bean of type [org.springframework.security.web.authentication.AnonymousAuthenticationFilter] found for dependency: expected at least 1 bean which qualifies as autowire candidate for this dependency. Dependency annotations: {}

After creating another bean:

    @SuppressWarnings("deprecation") // Oh, there be dragons
    @Bean
    public AnonymousAuthenticationFilter anonymousAuthenticationFilter() {
        return new AnonymousAuthenticationFilter();
    }

I am attacked with

Caused by: java.lang.IllegalArgumentException: [Assertion failed] - this String argument must have length; it must not be null or empty

Which is entirely understable; Asserts in afterPropertiesSet() method https://github.com/spring-projects/spring-security/blob/master/web/src/main/java/org/springframework/security/web/authentication/AnonymousAuthenticationFilter.java are preventing me from using default constructor. Using another approach:

    @Bean
    public AnonymousAuthenticationFilter anonymousAuthenticationFilter() {
        // it will be disabled anyway so...
        return new AnonymousAuthenticationFilter("_", new Object(), new ArrayList<GrantedAuthority>());
    }

Everything is way nicer:

INFO 4916 --- [ost-startStop-1] o.s.b.c.embedded.FilterRegistrationBean : Filter anonymousAuthenticationFilter was not registered (disabled)

DEBUG 4916 --- [ost-startStop-1] o.s.security.web.FilterChainProxy : Initializing filter 'springSecurityFilterChain'

DEBUG 4916 --- [ost-startStop-1] o.s.security.web.FilterChainProxy : Filter 'springSecurityFilterChain' configured successfully

But after accessing some resource I got:

DEBUG 4916 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : /user at position 10 of 13 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'

DEBUG 4916 --- [nio-8080-exec-3] o.s.s.w.a.AnonymousAuthenticationFilter : Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@90572420: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@255f8: RemoteIpAddress: 127.0.0.1; SessionId: 6B9D974A4634548750FE78C18F62A6B0; Granted Authorities: ROLE_ANONYMOUS'

For some reason AnonymousAuthenticationFilter is still working. The question: Is there a way to disable such filters in Spring Boot application?


Solution

  • Spring Security bundles all of the Filters within the HttpSecurity configuration. To disable anonymous authentication use the following:

    @EnableWebSecurity
    public class SecurityConfig extends WebSecurityConfigurerAdapter {
        
        
        @Override
        protected void configure(HttpSecurity http) throws Exception {
            http
                .anonymous(AbstractHttpConfigurer::disable)
                ...
        }
        ...
    }
    

    If you want to disable all of the defaults within Spring Security you can pass true into the parent class constructor to disable defaults. For example:

    @EnableWebSecurity
    public class SecurityConfig extends WebSecurityConfigurerAdapter {
    
        public SecurityConfig() {
            super(true);
        }
        ...
    }