14

I am looking for a non invasive way to add a captcha filter for certain api calls.

My setup consists of two WebSecurityConfigurerAdapters with one filter each (not the captcha filter):

  • Internal api ("/iapi" use Filter A on all calls but also ignore some public requests like /authenticate)
  • External api ("/eapi" use Filter B on all calls)

How can I add a filter before the Spring Security stuff, on public, internal api or external api calls? I don't need the SecurityContext, just need to check for a Captcha in the request headers, forward to filterChain (normal filters) or manually deny access. I tried declaring a filter in web.xml, but that breaks the ability to use dependency injection.

Here is my Spring Security Configuration:

@EnableWebSecurity
public class SpringSecurityConfig {
    @Configuration
    @Order(1)
    @EnableGlobalMethodSecurity(securedEnabled = true)
    public static class InternalApiConfigurerAdapter extends WebSecurityConfigurerAdapter {

        @Autowired
        private Filter filterA;

        public InternalApiConfigurerAdapter() {
            super(true);
        }

        @Override
        public void configure(WebSecurity web) throws Exception {
            web
                    .ignoring()
                    .antMatchers("/public/**");
        }

        @Override
        protected void configure(HttpSecurity http) throws Exception {
            http
                    .antMatcher("/iapi/**")
                    .exceptionHandling().and()
                    .anonymous().and()
                    .servletApi().and()
                    .authorizeRequests()
                    .anyRequest().authenticated().and()
                    .addFilterBefore(filterA, (Class<? extends Filter>) UsernamePasswordAuthenticationFilter.class);
        }

        @Override
        @Bean
        public AuthenticationManager authenticationManagerBean() throws Exception {
            return authenticationManager();
        }
    }

    @Configuration
    @Order(2)
    @EnableGlobalMethodSecurity(securedEnabled = true)
    public static class ExternalApiConfigurerAdapter extends WebSecurityConfigurerAdapter {

        @Autowired
        private FilterB filterB;

        public ExternalApiConfigurerAdapter() {
            super(true);
        }

        @Override
        protected void configure(HttpSecurity http) throws Exception {
            http
                    .antMatcher("/external/**")
                    .exceptionHandling().and()
                    .anonymous().and()
                    .servletApi().and()
                    .authorizeRequests()
                    .anyRequest().authenticated().and()
                    .addFilterBefore(filterB, (Class<? extends Filter>) UsernamePasswordAuthenticationFilter.class);
        }

        @Override
        @Bean
        public AuthenticationManager authenticationManagerBean() throws Exception {
            return authenticationManager();
        }
    }

Update: At the moment I have a working configuration with a filter declared in web.xml. However, it has the drawback of being seperated from the Spring Context (e.g. no autowiring of beans), so I am looking for a better solution leveraging Spring.

Summary: There are two remaining problems:

  1. add a filter for specific urls only - using beforeFilter(...) inside any configuration adds a filter to all urls of that configuration. Antmatchers didn't work. I need something like that: /iapi/captcha/, /external/captcha/, /public/captcha/*.
  2. I have a public api which bypasses Spring Security completely: (web .ignoring() .antMatchers("/public/**");). I need to bypass Spring Security but still declare a filter there, using Spring autowiring but not necessarily Spring Security features, since my captcha filter only rejects or forwards calls in a stateless way.
Journeycorner
  • 2,474
  • 3
  • 19
  • 43
  • 1
    You are speaking about `Filter A` and `Filter B`. Are they placeholders for your captcha filter or do you have a real implementation for it? If so, could you update your question accordingly? – ksokol Dec 22 '15 at 09:11
  • 1
    not really sure if it is exactly what you are looking for, but found [this answer](http://stackoverflow.com/a/11929129/4207875) to a similar question. The differences are that they add the filter at the end of the chain, and the config is in XML, but in javaconfig, the http.addFilterBefore() does the trick too. – saljuama Dec 22 '15 at 13:22
  • @ksokol They are the filters of the current system, I don't want to touch them. – Journeycorner Dec 23 '15 at 09:36
  • @SalvadorJuanMartinez I don't think it will work. It's a xml config, and my main problem is, that I want to add a filter before specific paths only in different configurations - so I wouldn't need to change my whole setup. – Journeycorner Dec 23 '15 at 09:39
  • sorry, i guess i didn't explain myself clearly, i didn't mean change to XML config, and/or add the filter at the end, but instead, could be used as a reference, since it is a working example of how to add a custom filter to the chain. It provides information on how to implement the filters correctly. In your case you can stick to `.addFilterBefore() ` to insert the filter in the position you want. – saljuama Dec 23 '15 at 13:09

1 Answers1

14

You already have a working configuration with filters A and B inserted before UsernamePasswordAuthenticationFilter so should be easy to add another custom filter.

First, you create the filter, and declare it as a bean, either annotating the class with @Component, or as a @Bean inside a @Configuration class, so it is ready to be injected with @Autowired.

Now you are able to inject it, as filter A and B, and use it. According to the Filter Ordering section in the Spring Security reference documentation, the very first Filter in the chain is ChannelProcessingFilter, so in order to insert the filter before anything else in the Spring Security filter chain, you'd do this:

@Autowired
private CaptchaFilter captchaFilter;

@Override
protected void configure(HttpSecurity http) throws Exception {
    http
            .antMatcher("/iapi/**")
            .addFilterBefore(captchaFilter, (Class<? extends Filter>) ChannelProcessingFilter.class)
            .addFilterBefore(filterA, (Class<? extends Filter>) UsernamePasswordAuthenticationFilter.class)
            .authorizeRequests()
                .anyRequest().authenticated();
    }

By the way, exceptionHandling() anonymous() and servletApi() aren't needed because when extending WebSecurityConfigurerAdapter, these are already included, except for anonymous() when you actually specify more configuration details, as it states HttpSecurity javadoc

Keep in mind that the Spring Security "entrypoint", the DelegatingFilterProxy still will be executed before your filter, but this component only delegates the request to the first filter in the chain, which in this case would be the CaptchaFilter, so you really would execute your filter before anything else from Spring Security.

But if you still want the captcha filter be executed before the DelegatingFilterProxy, there is no way to do so in the Spring Security configuration, and you need to declare it in the web.xml file.

Update: If you do not desire to include the captcha filter in the other configurations, you can always add a third configuration, and the configurations class would be as follows:

@EnableWebSecurity
@EnableGlobalMethodSecurity(securedEnabled = true)
public class SpringSecurityConfig {

    @Configuration
    @Order(1)
    public static class CaptchaApiConfigurerAdatper extends WebSecurityConfigurerAdapter {

        @Autowired
        private CaptchaFilter captchaFilter;

        public CaptchaApiConfigurerAdatper() {
            super(true);
        }

        @Override
        public void configure(WebSecurity web) throws Exception {
            web
                    .ignoring()
                    .antMatchers("/public/**");
        }

        @Override
        protected void configure(HttpSecurity http) throws Exception {
            http
                    .requestMatchers()
                        .antMatcher("/iapi/captcha**")
                        .antMatcher("/external/captcha**")
                        .and()
                    .addFilterBefore(captchaFilter, (Class<? extends Filter>) ChannelProcessingFilter.class)
                    .authorizeRequests()
                        .anyRequest().authenticated();
        }
    }            

    @Configuration
    @Order(2)
    public static class InternalApiConfigurerAdapter extends WebSecurityConfigurerAdapter {

        // ommiting code for the sake of clarity
    }

    @Configuration
    @Order(3)
    public static class ExternalApiConfigurerAdapter extends WebSecurityConfigurerAdapter {

         // ommiting code for the sake of clarity
    }

By the way, another tip, you can refactor all the common configuration outside the specific configurations, into the main class, like @EnableGlobalMethodSecurity(securedEnabled = true) the AuthenticationManager, the WebSecurity to skip security for the public, but for those since the main class is not extending anything you should @Autowire the method declarations.

Although there would be one problem with the WebSecurity, if you are ignoring /public/** the matcher for the HttpSecurity with /public/captcha** would be ignored, so i guess, you shouldnt refactor out the WebSecurity and have a different pattern in the CaptchaConfig class so it doesnt overlap.

saljuama
  • 2,906
  • 1
  • 20
  • 42
  • Sorry, I have already tried that approach. It would use those two filters on any request, but I need specific paths. Also I still don't know how to add them on non Spring Security calls. I updated my question accordingly. Thanks for the hint about exception handling, that stuff helps me to understand Spring Security better! – Journeycorner Dec 24 '15 at 09:38
  • There is nothing stopping you from adding a third configuration for the captcha filter, just keep in mind the `@Order`, i'll update the answer with an example. – saljuama Dec 24 '15 at 14:17