Adding a custom filter to be invoked after spring-security filter in a Servlet 3+ environment

Question

I\'m using Spring-Security 3.2.4 and Spring Boot 1.1.0 (and it\'s related dependencies versions 4.X). I\'m writing a web application that will be run in an embedded tomcat.<

Answer 1

Agree with everything stated by Dave Syer ;) but wished to add a Java Config example of using the FilterRegistrationBean.

In my situation, I was finding that my custom security filter (using Spring Security) was being fired twice for every request. Adding the FilterRegistrationBean config fixed this.

    @Bean(name = "myFilter")
    public MyAuthenticationFilter myAuthenticationFilter(final MyAuthenticationEntryPoint entryPoint) {
        final MyAuthenticationFilter filter = new MyAuthenticationFilter();
        filter.setEntryPoint(entryPoint);
        return filter;
    }

    /**
     *  We do this to ensure our Filter is only loaded once into Application Context
     *
     */
    @Bean(name = "authenticationFilterRegistration")
    public FilterRegistrationBean myAuthenticationFilterRegistration(final MyAuthenticationFilter filter) {
        final FilterRegistrationBean filterRegistrationBean = new FilterRegistrationBean();
        filterRegistrationBean.setFilter(filter);
        filterRegistrationBean.setEnabled(false);
        return filterRegistrationBean;
    }

(Regarding my specific issue of filter being registered twice in Application Context - Rather than using a FilterRegistrationBean, I also found re-implementing the MyAuthenticationFilter to inherit from OncePerRequestFilter instead of GenericFilterBean also worked. However, OncePerRequestFilter support is from Servlet 3.x upwards and since I was writing a public library, support from Servlet 2.x may be needed)

Answer 2

If you are using web.xml approaches, you can follow this: https://stackoverflow.com/a/11929129/1542363

If you using Java config approaches, you can do this in WebSecurityConfigurerAdapter

@Override
protected void configure(HttpSecurity http) throws Exception {

    http.addFilterBefore(your-request-filter-1, ChannelProcessingFilter.class);
    http.addFilterAfter(your-request-filter-2, SwitchUserFilter.class);

}

Always check the library version you are using, and refer to the specific document for the correct order of the filter chains:

https://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#ns-custom-filters

Or, if you using AbstractSecurityWebApplicationInitializer, you can use the insertFilters or appendFilters.

public class SecurityApplicationInitializer extends AbstractSecurityWebApplicationInitializer {

    @Override
    protected void beforeSpringSecurityFilterChain(ServletContext servletContext) {
        insertFilters(servletContext, new MultipartFilter());
    }
}

More info You can refer this: https://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#csrf-multipart

Answer 3

The FilterChainProxy use by Spring Security is not Ordered (if it was you could order all your filters). But you should be able to register it in a FilterRegistrationBean which is Ordered and register your other filters the same way. In the case of the security filter you can inject it by name into the registration bean. The others you can probably inject by calling a @Bean method.