2

filterOne is only for path /1 and filterTwo is only for /2.

    @Override
    protected void configure(HttpSecurity httpSecurity) throws Exception {
        httpSecurity
                .antMatcher("/1")
                .addFilterAfter(filterOneBean(), BasicAuthenticationFilter.class)
                .authorizeRequests()
                .and()
                .antMatcher("/2")
                .addFilterAfter(filterTwoBean(), BasicAuthenticationFilter.class)
                .authorizeRequests()
                .and();

/1 does not invoke filterOne or filterTwo, while /2 only filterOne is invoked. Why and how to fix it?

EDIT: The following configuration would still enter filterOne for /2

    @SuppressWarnings("SpringJavaAutowiringInspection")
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class MultiHttpSecurityConfig {

    @Bean
    public FilterTwo setFilterTwo() {
        return new FilterTwo();
    }

    @Bean
    public FilterOne setFilterOne() {
        return new FilterOne();
    }


    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
    }

    @Configuration
    @Order(1)
    public static class ApiWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter {

        @Autowired
        private FilterTwo filterTwo;

        protected void configure(HttpSecurity http) throws Exception {
            http.addFilterAfter(filterTwo, BasicAuthenticationFilter.class)
                .antMatcher("/2")
                .authorizeRequests()
                .anyRequest()
                .authenticated();
        }
    }

    @Configuration
    @Order(2)
    public static class FormLoginWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {

        @Autowired
        private FilterOne filterOne;

        @Override
        protected void configure(HttpSecurity http) throws Exception {
            http.addFilterAfter(filterOne, BasicAuthenticationFilter.class)
                .antMatcher("/1")
                .authorizeRequests()
                .anyRequest()
                .authenticated();
        }
    }
}

I may restate what I am trying to achieve: /1 and /2 have different authentication rules, and they are implemented in an customized authentication filter, therefore they each have different filter chain.

EDIT 2: I found that filterTwo and One have different filterChain object id, and this is because setAuthentication method.

public class FilterTwo extends OncePerRequestFilter {

    @Override
    protected void doFilterInternal(HttpServletRequest request,
                                    HttpServletResponse response,
                                    FilterChain chain)
        throws ServletException, IOException {
        ...
        SecurityContextHolder.getContext().setAuthentication(authentication); // This causes filterTwo invoked. 

        chain.doFilter(request,response);
    }
}
Tiina
  • 4,285
  • 7
  • 44
  • 73
  • Possible duplicate of [Spring Security multiple url ruleset not working together](https://stackoverflow.com/questions/39457121/spring-security-multiple-url-ruleset-not-working-together) – dur Jun 16 '17 at 16:09
  • @dur I found that `httpSecurity.authorizeRequests().antMatchers("/foo").authenticated();` conflicts with FilterRegistrationBean. It does not enter the binded filter. – Tiina Jun 17 '17 at 07:39
  • @dur I actually tries your method -- multiple configuration, but no, `/1` would still go through both filters even though they are configured in two different configuration classes. – Tiina Jun 17 '17 at 08:00
  • Are you using Spring Boot? Show your filter registration code. It could be a dupe of [this](https://stackoverflow.com/questions/39314176/filter-invoke-twice-when-register-as-spring-bean) question. – dur Jun 17 '17 at 09:22
  • @dur I have added the configuration you mentioned in that answer, however, for path `/1` it only enters `filterOne` as I want, but for path `/2` it enters `filterTwo` and then `filterOne` (I want `filterTwo` only). As the other comment you had, when I have registration bean in configuration, both path enter the correct filter, however the authentication of spring security fails to work. – Tiina Jun 19 '17 at 01:16
  • What do you mean by *however the authentication of spring security fails to work*? However, your question is a dupe of [this](https://stackoverflow.com/questions/39314176/filter-invoke-twice-when-register-as-spring-bean) question, because your filter problem is solved. Flag your question as a dupe and write another question with your next problem. I will read it. – dur Jun 19 '17 at 16:48

0 Answers0