2

From this Spring Security reference documentation:

It seems 5.x added more filters to the chain then in 3.x. Or something else I should be aware, comments are welcome:

I see the below filters will be added to security chain (as per 5.x) -

ChannelProcessingFilter
SecurityContextPersistenceFilter
ConcurrentSessionFilter
HeaderWriterFilter
CsrfFilter
LogoutFilter
X509AuthenticationFilter
AbstractPreAuthenticatedProcessingFilter
CasAuthenticationFilter
UsernamePasswordAuthenticationFilter
BasicAuthenticationFilter
SecurityContextHolderAwareRequestFilter
JaasApiIntegrationFilter
RememberMeAuthenticationFilter
AnonymousAuthenticationFilter
SessionManagementFilter
ExceptionTranslationFilter
FilterSecurityInterceptor
SwitchUserFilter

May be few of the above filters will be added only based on additional configuration, like loading or presence of other classes. So I am not expecting all of the above filters to be present in the security chain of the application.

On looking at my application log (I am using Spring Security - 5.2.2), I see below -

23:10:50.354 [main] INFO  org.springframework.security.web.DefaultSecurityFilterChain   - Creating filter chain: any request, [mycorp.commons.rest.bean.OncePerFilterTest@3071d086, org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@20711b02, org.springframework.security.web.context.SecurityContextPersistenceFilter@539953af, org.springframework.security.web.header.HeaderWriterFilter@345f4e0d, org.springframework.security.web.authentication.logout.LogoutFilter@6ea1fc9, mycorp.rest.jwt.MyJwtTokenFilter@52d9a150, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@3678f32e, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@645b67d6, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@476a38d9, org.springframework.security.web.session.SessionManagementFilter@14a3a66c, org.springframework.security.web.access.ExceptionTranslationFilter@683218c8, org.springframework.security.web.access.intercept.FilterSecurityInterceptor@6f87bc6c]

Above log with one filter per line is as below -

mycorp.commons.rest.bean.OncePerFilterTest@3071d086, 
org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@20711b02, 
org.springframework.security.web.context.SecurityContextPersistenceFilter@539953af, 
org.springframework.security.web.header.HeaderWriterFilter@345f4e0d, 
org.springframework.security.web.authentication.logout.LogoutFilter@6ea1fc9, 
mycorp.rest.jwt.MyJwtTokenFilter@52d9a150, 
org.springframework.security.web.savedrequest.RequestCacheAwareFilter@3678f32e, 
org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@645b67d6, 
org.springframework.security.web.authentication.AnonymousAuthenticationFilter@476a38d9, 
org.springframework.security.web.session.SessionManagementFilter@14a3a66c, 
org.springframework.security.web.access.ExceptionTranslationFilter@683218c8, 
org.springframework.security.web.access.intercept.FilterSecurityInterceptor@6f87bc6c

I see two addtional filters -> WebAsyncManagerIntegrationFilter, RequestCacheAwareFilter in the chain. I am thinking that some other code has added these filters to the chain just like I have added my own OncePerFilterTest and MyJwtTokenFilter to the chain. If this is right, then I am fine else please correct.

Next, in my BaseWebSecurityConfig extends WebSecurityConfigurerAdapter --> configure(HttpSecurity http) method, i have added below

http.addFilterBefore(jwtTokenFilter, UsernamePasswordAuthenticationFilter.class);
http.addFilterBefore(oncePerFilterTest, ChannelProcessingFilter.class);

I was expecting ChannelProcessingFilter and UsernamePasswordAuthenticationFilter to be present in filter chain. But since they are not there, i will assume that spring security determined that there is no need of these filters based on configuration and avoided loading them.

So, I want to know what is the requirement for loading -

  1. ChannelProcessingFilter
  2. UsernamePasswordAuthenticationFilter ( I am more interested in details about this filter).
Manuel Jordan
  • 15,253
  • 21
  • 95
  • 158
samshers
  • 1
  • 6
  • 37
  • 84
  • 2
    UsernamePasswordAuthentication is used if you enable for instance formLogin. Also, you dont need a custom jwtfilter, spring already has one called BearerTokenAuthenticationFilter. https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/oauth2/server/resource/web/BearerTokenAuthenticationFilter.html A jwt is just a format of a Bearer token. – Toerktumlare Jan 18 '22 at 19:32
  • 1
    https://docs.spring.io/spring-security/reference/servlet/architecture.html#servlet-security-filters here you can read about all the filters. The docs you have linked to are outdated. Here you can see by clicking on the filters it will take you to the authentication form. – Toerktumlare Jan 18 '22 at 19:32
  • 1
    and here you can read how the built in jwt authentication works and how to implement it correctly, no need for a custom filter https://docs.spring.io/spring-security/reference/servlet/oauth2/resource-server/jwt.html#oauth2resourceserver-jwt-architecture – Toerktumlare Jan 18 '22 at 19:35
  • @Toerktumlare - quite gr8. ++1. You should have posted as answer. – samshers Jan 18 '22 at 20:07

0 Answers0