All geek questions in one place

Adding a custom filter that will be called after the spring-security filter in Servlet 3+

I am using Spring-Security 3.2.4 and Spring Boot 1.1.0 (and related 4.X dependency versions). I am writing a web application that will run in the built-in tomcat.

I am trying to add two additional filters (not related to Spring security) that one of them will be called before Spring -Security-FilterChainProxy, and the other will be called after Spring - Security-FilterChainProxy.

My Spring-Security configuration files:

@Configuration @EnableWebMvcSecurity public class SecurityCtxConfig extends WebSecurityConfigurerAdapter { @Autowired public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception { auth .inMemoryAuthentication() .withUser("user").password("pass").roles("USER"); } @Override protected void configure(HttpSecurity http) throws Exception { http.csrf() .disable() .authorizeRequests() .anyRequest() .authenticated() .and() .formLogin() .usernameParameter("user").passwordParameter("password"); } }

And the main class (Application.class):

 @Configuration @ComponentScan @EnableAutoConfiguration public class Application { @Bean RequestFilter beforeSpringSecurityFilter(){ return new RequestFilter(); } @Bean RequestFilter afterSpringSecurityFilter(){ return new RequestFilter(); } public static void main(String[] args) { SpringApplication.run(Application.class, args); } }

And filter implementation:

 public class RequestFilter extends OncePerRequestFilter { @Override protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException { filterChain.doFilter(request, response); } }

Is there a way to control the order of the call when accounting for FilterChainProxy (which is created by the WebSecurityConfigurerAdapter? To be sure, the required order is:

  • request-filter-1
  • Spring-Security FilterChain
  • query filter 2

thanks

+5
source share
2 answers

FilterChainProxy using Spring Security is not Ordered (if you could order all your filters). But you should be able to register it in a FilterRegistrationBean , which is Ordered , and register other filters in the same way. In the case of a security filter, you can enter it by name in the registration bean. Others that you can probably enter by calling the @Bean method.

+5
source

Agree with everything that was said by Dave Sier;), but wished to add an example Java Config using FilterRegistrationBean.

In my situation, I found that my custom security filter (using Spring Security) was run twice for each request. Adding FilterRegistrationBean configuration fixed.

  @Bean(name = "myFilter") public MyAuthenticationFilter myAuthenticationFilter(final MyAuthenticationEntryPoint entryPoint) { final MyAuthenticationFilter filter = new MyAuthenticationFilter(); filter.setEntryPoint(entryPoint); return filter; } /** * We do this to ensure our Filter is only loaded once into Application Context * */ @Bean(name = "authenticationFilterRegistration") public FilterRegistrationBean myAuthenticationFilterRegistration(final MyAuthenticationFilter filter) { final FilterRegistrationBean filterRegistrationBean = new FilterRegistrationBean(); filterRegistrationBean.setFilter(filter); filterRegistrationBean.setEnabled(false); return filterRegistrationBean; }

(Regarding my specific problem with a filter that is registered twice in the application context - instead of using FilterRegistrationBean , I also found that re-implementing MyAuthenticationFilter to inherit from OncePerRequestFilter instead of GenericFilterBean also worked., OncePerRequestFilter support from Servlet 3.x up, and since I wrote a public library, servlet 2.x support may be required)

+3
source

Source: https://habr.com/ru/post/984282/

More articles:


All Articles