spring security custom sessionmanagementfilter same order value error

Question

I'm trying to customize the session management filter of Spring Security, but I get the error saying that my filter and the default one have the same 'order' value (although I don't have any <session-managent> in my <http> configuration and I have autoconfig=false, as Spring Security says in its documentation).

Here's my configuration of Spring Security:

<http auto-config="false" use-expressions="true">

    <custom-filter position="SESSION_MANAGEMENT_FILTER" ref="filtroGestionSesion" />

    <intercept-url pattern="/resources/**" filters="none"/>
    <intercept-url pattern="/faces/javax.faces.resource/**" filters="none"/>
    <intercept-url pattern="/faces/inicio.xhtml" access="permitAll"/>
    <intercept-url pattern="/faces/paginas/autenticacion/login.xhtml*" access="permitAll"/>
    <intercept-url pattern="/faces/paginas/administracion/**" access="isAuthenticated()"/>
    <intercept-url pattern="/faces/paginas/barco/**" access="isAuthenticated()"/>
    <intercept-url pattern="/faces/paginas/catalogo/**" access="permitAll"/>
    <intercept-url pattern="/faces/paginas/error/**" access="permitAll"/>
    <intercept-url pattern="/faces/paginas/plantillas/**" access="permitAll"/>
    <intercept-url pattern="/**" access="denyAll" />

    <form-login login-processing-url="/j_spring_security_check"
                login-page="/faces/paginas/autenticacion/login.xhtml"
                default-target-url="/faces/paginas/administracion/inicioAdmon.xhtml"
                always-use-default-target="true"
                authentication-failure-url="/faces/paginas/autenticacion/login.xhtml?error=authentication" />

    <logout logout-url="/j_spring_security_logout"
            logout-success-url="/faces/inicio.xhtml"
            invalidate-session="true" />
</http>

<global-method-security pre-post-annotations="enabled" />

<authentication-manager>
    <authentication-provider>
      <user-service>
        <user name="myuser" password="myuser" authorities="" />
      </user-service>
    </authentication-provider>
</authentication-manager>

<beans:bean id="filtroGestionSesion" class="springSecurity.FiltroGestionSesion">
    <beans:constructor-arg ref="securityContextRepository" />
    <beans:property name="invalidSessionUrl" value="/faces/paginas/autenticacion/login.xhtml?error=timeout" />
</beans:bean>

<beans:bean id="securityContextRepository" class="org.springframework.security.web.context.HttpSessionSecurityContextRepository" />

The class with my custom filter (springSecurity.FiltroGestionSesion) is a copy-paste from the one from Spring Security (org.springframework.security.web.session.SessionManagementFilter) but changing the package name, the class name and some custom code I added to the doFilter method.

Why doesn't it work and throws the error saying both filters have the same order?

I already disabled the default filter by removing the corresponding child element <session-mangement> from <http>, so that the position of my filter doesn't conflict with the default filter.

Do I have to remove any element else or customize anything else?

Any one knows how to do a custom filter works in the position of SESSION_MANAGEMENT_FILTER disabling the default one?

Thank you in advance.

Answer 1

I've found the solution finally. I put it here if someone is interesting.

The way to disable the default session management filter is not by removing the <session-mangement> element from <http>, but by adding it with no session fixation protection:

<session-management session-fixation-protection="none" />

This way, the default session management filter doesn't fire, and you can add your custom filter in that position with no conflict in the filter chain.

I've checked it looking at the debug logs of spring security in my webapp.

Hope it helps someone.