1

Java + Spring Boot here. I am building a RESTful web service that uses Spring Security for authentication/authorization.

Spring Security ships with a vast array of its own flexible and configurable Filters. My service has a need to define several of its own Filters, however:

  • they have absolutely nothing to do with security, and as such, shouldn't require any configuration within Spring Security's API; and
  • I do want them to be invoked after Spring Security has already allowed requests through all of its own security Filters; meaning these "non-security" Filters only get invoked if Spring Security has allowed the request through, ahead of time

I see this answer as well as this one but these both involve configuring other custom security Filters to work with Spring Security's built-in Filters. How can I configure Spring Boot to "position" my non-security Filters "after" (further down the filter chain) from Spring Security? And how can I control the order of those Filters once I do?

hotmeatballsoup
  • 385
  • 6
  • 58
  • 136
  • here is the complete filter list https://docs.spring.io/spring-security/reference/servlet/architecture.html#servlet-security-filters and you use the function `httpSecurity.addFilterAfter` https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/config/annotation/web/builders/HttpSecurity.html#addFilterAfter(javax.servlet.Filter,java.lang.Class) after the last one – Toerktumlare Jul 28 '22 at 20:01
  • You mean...I need to use Spring Security to configure the ordering of **non-security** filters? That doesn't make sense! What would I use to configure filter order if I wasn't using Spring Security?! – hotmeatballsoup Jul 28 '22 at 20:14
  • Then you would use what is proposed as the answer – Toerktumlare Jul 28 '22 at 20:53
  • Thanks, that answer is close but still not quite what I'm looking for, please see my comment under that question -- I have the same question for you! – hotmeatballsoup Jul 28 '22 at 21:07
  • why not just read the documentation https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/core/annotation/Order.html that he so kindly linked in his answer? – Toerktumlare Jul 28 '22 at 23:54
  • 1
    Because that documentation doesn't tell me how to avoid ordering collisions with Spring Security filters. I feel like you are rushing through this question and not actually reading it. I have Spring Security filters. I have non-security filters. That have nothing to do with Spring Security. But I need them invoked after the Spring Security filters have a chance to process requests. And I need them to not "collide" with Spring Security filters (by _collide_ I mean: I need to configure them such that they always run after Spring Security filters run). I don't know how else to say this. – hotmeatballsoup Jul 29 '22 at 01:34
  • Do you have ordering collisions? Show me code where you have ordering collisions. I expect you to read the docs and then experiment and try for yourself. And we have given you the answer, you either use my way or you use order. And we answer questions for free in our spare time. Remember that, good luck with you problem – Toerktumlare Jul 29 '22 at 09:06
  • 1
    The user whose answer I accepted answered my question. Your method required me to use Spring Security to configure non-security filters, which was not acceptable. Had I randomly chosen an `@Order` value of `100` then I would have had issues/collisions with Spring Security, at the accepted answer has now steered me clear of that. Also, offering someone a grilled cheese when they state they need a PB&J doesn't help them, at all. – hotmeatballsoup Jul 29 '22 at 12:20
  • Remember we answer for free. Never forget that. Good luck – Toerktumlare Jul 29 '22 at 15:51

1 Answers1

3

You may set order of filter using @Order annotation. It has default value Integer.MAX_VALUE this way your filter will be executed last(lower values have higher priority). Here is an example:

@Order
@Component
public class TestFilter implements Filter {
    @Override
    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        filterChain.doFilter(servletRequest, servletResponse);
    }
}

Spring Security is a single physical Filter but delegates processing to a chain of internal filters such as: SecurityContextPersistenceFilter, RememberMeAuthenticationFilter, AnonymousAuthenticationFilter, etc. The security filter is installed at a position defined by SecurityProperties.DEFAULT_FILTER_ORDER which is set to -100. So any filter with order higher than -100 will be executed after FilterChainProxy (concrete class of spring security filter)

For example:

@Order(SecurityProperties.DEFAULT_FILTER_ORDER-1)
@Component
public class BeforeSecurityFilter implements Filter

Will be executed before security filter and:

@Order(SecurityProperties.DEFAULT_FILTER_ORDER+1)
@Component
public class AfterSecurityFilter implements Filter

Will be executed after security filter

eparvan
  • 1,639
  • 1
  • 15
  • 26
  • Thanks @eparvan (+1) - what values are safe to set for `@Order(value = ???`) so that my non-security filters are guaranteed to be invoked after (again, further down the filter chain) all the Spring Security filters are invoked. That is the essence of this question: how do I order non-security filters to _not_ interfere with Spring Security filters?! – hotmeatballsoup Jul 28 '22 at 21:07
  • Did you find a way to set the order to run them as last? I have the same scenario as you. – RRGT19 Jul 16 '23 at 13:00