13

I am trying to understand why do we usually need to call http.addFilterBefore(jwtAuthenticationFilter(),UsernamePasswordAuthenticationFilter.class) method in the initial configure(HttpSecurity http) method? As i understood it will firstly add a result from jwtAuthenticationFilter() and then UsernamePasswordAuthenticationFilter but i am not sure why? jwtAuthenticationFilter() implementation : 

@Override
protected  void configure(AuthenticationManagerBuilder authenticationManagerBuilder) throws Exception {
        authenticationManagerBuilder.userDetailsService(customerService).passwordEncoder(bCryptPasswordEncoder());
    }

Also is it that the security class that extends WebSecurityConfigurerAdapter will only be called once on startup?

Petar Petrovic
  • 163
  • 1
  • 1
  • 7
  • Did you try to use `addFilterAfter(jwtAuthenticationFilter(),UsernamePasswordAuthenticationFilter.class)` and see what is going to happen? – A.Oubidar Nov 22 '19 at 14:52
  • For the second question, each request that comes to your application will pass through your security class and filters. – A.Oubidar Nov 22 '19 at 15:00
  • 1
    I think personally that calling JWT authentication filter before UsernameAndPassword authentication filter is just to ensure that the filter respects Spring Security Filter Chain order and it's not directly related to UsernameAndPassword Filter. The important point is to call Authentication processing mechanisms together before going further in the chain. For more info about The Security Filter Chain, please check the official docs at https://docs.spring.io/spring-security/site/docs/3.0.x/reference/security-filter-chain.html – A.Oubidar Nov 22 '19 at 15:07

1 Answers1

28
  1. why do we usually need to call

We are configuring. not calling!

  1. Also is it that the security class that extends WebSecurityConfigurerAdapter will only be called once on startup?

Yes, configure methods will be executed(Run-Time-Polymorphism) on start up to set up HttpSecurity or configuring spring security filters.

In simple words, Spring Security is a filter based framework. Either we are enabling existing filter and configuring it or adding our custom filter.

  1. configure() method is used to set up existing filters after setting up we can modify those filters configuration. If your modification of configuration does not fulfill your requirements then you can define your own custom filers.

  2. To define custom filter there are three* provisions as given below
    (Actually 4 addFilterAt() which is rarely used)

 --------------------------------------------------------------------------------------
| java-config                      | xml-config                                        |
 --------------------------------------------------------------------------------------
| .addFilter()                     | <custom-filter  position="BASIC_AUTH_FILTER"/>    |
 --------------------------------------------------------------------------------------
| .addFilterBefore()               | <custom-filter  before="LAST" />                  |
 --------------------------------------------------------------------------------------
| .addFilterAfter()                | <custom-filter  after="FIRST" />                  |
 --------------------------------------------------------------------------------------
  1. In simple words.

  • .addFilter() You can add only instance of spring defined filters or you can add sub class of those spring security defined filters. For example
    .addFilter(customAuthFilter, UsernamePasswordAuthenticationFilter.class) customAuthFilter should be instance of UsernamePasswordAuthenticationFilter subclass or instance of UsernamePasswordAuthenticationFilter.

  • .addFilterAfter() and .addFilterBefore() Here filter can be any custom filter. However, the custom filter should be implementation of GenericFilterBean. In most cases, the implementation of OncePerRequestFilter will be used.

You can refer sequence of execution in spring security for detailed analysis.

Arun
  • 592
  • 3
  • 13
PraveenKumar Lalasangi
  • 3,255
  • 1
  • 23
  • 47
  • 1
    Why do we should add jwt filter before UsernamePasswordAuthenticationFilter not by the other? – vuvo Sep 07 '21 at 16:13
  • "We are configuring. not calling!" addFilterBefore is a method, which is called. – nasch Oct 03 '22 at 15:25