spring-securityservlet-filters

How do I ensure a filter is executed after security filters in the SecurityFilterChain?


I have a BearerTokenAuthenticationFilter which is registered through a SecurityFilterChain. Additionally, there is a ProfileSynchronizationFilter which is registered via a FilterRegistrationBean.

The BearerTokenAuthenticationFilter needs to be executed before the ProfileSynchronizationFilter. Right now the opposite happens.

My understanding is that filters in the SecurityFilterChain is executed by a DelegatingFilterProxy. So, I assume it is the DelegatingFilterProxy which must be ordered relative to the ProfileSynchronizationFilter. However, I'm not sure if that is the right way - or even how to do that.

Excerpt from the Spring docs :

enter image description here

https://docs.spring.io/spring-security/reference/servlet/architecture.html#servlet-filterchainproxy

How do I solve this ordering issue so that the BearerTokenAuthenticationFilter gets executed before the ProfileSynchronizationFilter?

Configuration of the SecurityFilterChain :

@Bean
@Order(2)
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
  http.csrf()
    .disable()
    .sessionManagement()
    .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
    .and()
    .requestMatchers()
    .antMatchers(listOfSecuredResources)
    .and()
    .authorizeRequests()
    .antMatchers(listOfSecuredResources)
    .fullyAuthenticated()
    .and()
    .exceptionHandling()
    .authenticationEntryPoint(authenticationEntryPoint)
    .accessDeniedHandler(accessDeniedHandler)
    .and()
    .addFilter(jwtAuthenticationFilter)
    .anonymous()
    .disable();

  return http.build();
}

Configuration of the ProfileSynchronizationFilter :

@Bean
public FilterRegistrationBean registerProfileSynchronizationFilter(ProfileSynchronizationFilter profileSynchronizationFilter) {
  FilterRegistrationBean reg = new FilterRegistrationBean(profileSynchronizationFilter);
  reg.setOrder(6);
  return reg;
}

Solution

  • The illustration posted in the original post outlines filters and security filters very well. A DelegatingFilterProxy (springSecurityFilterChain) is installed as a filter by Spring. As the class name says, this filter delegates filtering to security filters.

    Security filters can not be ordered relative to regular filters. Security filters can only be ordered relative to other security filters.

    To get an understanding of both regular filters as well as security filters in your Spring Boot project, you can use the below class which will list all filters upon application startup.

    Based on this list, I was able to troubleshoot the ordering of filters.

    For the specific issue I described in the original post, one reason for the unpredictable execution order was that the security filter was exposed as a Bean. Spring thus installed the security filter as both a regular filter as well as a security filter:

    Springboot - filters automatically registered

    @Component
    public class FilterPrinter implements CommandLineRunner {
    
            @Autowired
            List<SecurityFilterChain> securityFilterChains;
    
            @Override
            public void run(String... args) throws Exception {
                    for (int i = 0; i < securityFilterChains.size(); i++) {
                            SecurityFilterChain securityFilterChain = securityFilterChains.get(i);
                            System.out.println("security chain #" + (i + 1) + " filters:");
                            System.out.println("-----");
                            List<Filter> filters = securityFilterChain.getFilters();
                            filters.forEach(filter
                                -> System.out.println("- " + filter.getClass().getSimpleName())
                            );
                    }
    
            }
    
            @Bean
            public CommandLineRunner cmdLineRunner(ApplicationContext context) {
                    return args -> {
                            ServletContextInitializerBeans scib = new ServletContextInitializerBeans(context,
                                FilterRegistrationBean.class, DelegatingFilterProxyRegistrationBean.class);
                            System.out.println("request filters:");
                            System.out.println("----");
                            scib.iterator().forEachRemaining(s -> {
                                    System.out.println("- " + s);
                            });
                    };
            }
    
    }