How do I ensure a filter is executed after security filters in the SecurityFilterChain?
I have a BearerTokenAuthenticationFilter which is registered through a SecurityFilterChain. Additionally, there is a ProfileSynchronizationFilter which is registered via a FilterRegistrationBean.
The BearerTokenAuthenticationFilter needs to be executed before the ProfileSynchronizationFilter. Right now the opposite happens.
My understanding is that filters in the SecurityFilterChain is executed by a DelegatingFilterProxy. So, I assume it is the DelegatingFilterProxy which must be ordered relative to the ProfileSynchronizationFilter. However, I'm not sure if that is the right way - or even how to do that.
Excerpt from the Spring docs :
https://docs.spring.io/spring-security/reference/servlet/architecture.html#servlet-filterchainproxy
How do I solve this ordering issue so that the BearerTokenAuthenticationFilter gets executed before the ProfileSynchronizationFilter?
Configuration of the SecurityFilterChain :
@Bean
@Order(2)
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http.csrf()
.disable()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.requestMatchers()
.antMatchers(listOfSecuredResources)
.and()
.authorizeRequests()
.antMatchers(listOfSecuredResources)
.fullyAuthenticated()
.and()
.exceptionHandling()
.authenticationEntryPoint(authenticationEntryPoint)
.accessDeniedHandler(accessDeniedHandler)
.and()
.addFilter(jwtAuthenticationFilter)
.anonymous()
.disable();
return http.build();
}
Configuration of the ProfileSynchronizationFilter :
@Bean
public FilterRegistrationBean registerProfileSynchronizationFilter(ProfileSynchronizationFilter profileSynchronizationFilter) {
FilterRegistrationBean reg = new FilterRegistrationBean(profileSynchronizationFilter);
reg.setOrder(6);
return reg;
}
The illustration posted in the original post outlines filters and security filters very well. A DelegatingFilterProxy (springSecurityFilterChain) is installed as a filter by Spring. As the class name says, this filter delegates filtering to security filters.
Security filters can not be ordered relative to regular filters. Security filters can only be ordered relative to other security filters.
To get an understanding of both regular filters as well as security filters in your Spring Boot project, you can use the below class which will list all filters upon application startup.
Based on this list, I was able to troubleshoot the ordering of filters.
For the specific issue I described in the original post, one reason for the unpredictable execution order was that the security filter was exposed as a Bean. Spring thus installed the security filter as both a regular filter as well as a security filter:
Springboot - filters automatically registered
@Component
public class FilterPrinter implements CommandLineRunner {
@Autowired
List<SecurityFilterChain> securityFilterChains;
@Override
public void run(String... args) throws Exception {
for (int i = 0; i < securityFilterChains.size(); i++) {
SecurityFilterChain securityFilterChain = securityFilterChains.get(i);
System.out.println("security chain #" + (i + 1) + " filters:");
System.out.println("-----");
List<Filter> filters = securityFilterChain.getFilters();
filters.forEach(filter
-> System.out.println("- " + filter.getClass().getSimpleName())
);
}
}
@Bean
public CommandLineRunner cmdLineRunner(ApplicationContext context) {
return args -> {
ServletContextInitializerBeans scib = new ServletContextInitializerBeans(context,
FilterRegistrationBean.class, DelegatingFilterProxyRegistrationBean.class);
System.out.println("request filters:");
System.out.println("----");
scib.iterator().forEachRemaining(s -> {
System.out.println("- " + s);
});
};
}
}
- Multiple user details services for different endpoints
- Spring Security - Authrozation on rest apis
- Exclude specific resource page(s) from Cross-Origin-Resource-Policy same-origin header in Spring WebSecurityConfigurerAdapter
- my Spring CustomSecurityExpressionRoot not working
- @EnableGlobalMethodSecurity is deprecated in the new spring boot 3.0
- Spring Security blocks POST requests despite SecurityConfig
- #oauth2 security expressions on method level
- Calling spring authorization server OAuth2 REST endpoints
- How to extend the RequestMatcher in default RequestCache in Spring Security?
- How do I ensure a filter is executed after security filters in the SecurityFilterChain?
- how does spring security order multiple SecurityFilterChain?
- Spring 6 upgrade @PreAuthorize not working with ArgumentResolver
- CORS in Spring Security (Spring Boot 3)
- Spring Security Authentication returns empty authorities
- Should i use ofNullable after checking if the value is null?
- Spring Boot throwing 401 Unauthorized on POST request
- Spring Boot security, always opens login page
- Spring boot 3 Upgrade - java.lang.NoSuchMethodError
- How to save header's value into Spring Security context considering concurrency safety
- How to work around SpringSessionBackedReactiveSessionRegistry bug? (Spring Security, Spring Session)
- Property 'security.basic.enabled' is Deprecated: The security auto-configuration is no longer customizable
- Consider defining a bean of type 'org.springframework.security.authentication.AuthenticationManager' in your configuration
- StackOverflowError with Unresolvable Circular Reference in AuthenticationManager Bean Definition
- Spring Security 6.3.3 WebFlux CORS
- CORS errors using Spring Boot, Spring Security and React
- Spring Boot + Security + MVC + LDAP AD + SSO
- Why BCryptPasswordEncoder from Spring generate different outputs for same input?
- Spring-Boot behind a network proxy
- Preventing to send requests from different devices
- CVE-2024-38809: Spring Framework DoS via conditional HTTP request