[FIXED] Adding a custom filter to be invoked after spring-security filter in a Servlet 3+ environment

Issue

I'm using Spring-Security 3.2.4 and Spring Boot 1.1.0 (and it's related dependencies versions 4.X). I'm writing a web application that will be run in an embedded tomcat.

I'm trying to add two additional filters(not related to Spring security) that one of them will be invoked before the Spring-Security-FilterChainProxy and the other one will be invoked after the Spring-Security-FilterChainProxy.

My Spring-Security configuration files:

@Configuration
@EnableWebMvcSecurity
public class SecurityCtxConfig extends WebSecurityConfigurerAdapter {

@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
    auth
    .inMemoryAuthentication()
        .withUser("user").password("pass").roles("USER");
}

@Override
protected void configure(HttpSecurity http) throws Exception {
    http.csrf()
            .disable()
            .authorizeRequests()
            .anyRequest()
            .authenticated()
            .and()
            .formLogin()
            .usernameParameter("user").passwordParameter("password");
}
}

And the Main class (Application.class):

@Configuration
@ComponentScan
@EnableAutoConfiguration
public class Application {

    @Bean
RequestFilter beforeSpringSecurityFilter(){
    return new RequestFilter();
}

@Bean
RequestFilter afterSpringSecurityFilter(){
    return new RequestFilter();
}

    public static void main(String[] args) {
        SpringApplication.run(Application.class, args);
    }
}

And the Filter implementation:

public class RequestFilter extends OncePerRequestFilter {

@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response,
        FilterChain filterChain) throws ServletException, IOException {
        filterChain.doFilter(request, response);
}

}

Is there a way to controll the invocation order when taking in account the FilterChainProxy (that is beeing created by the WebSecurityConfigurerAdapter ? To be percise, the required order is:

1. request-filter-1
2. Spring-Security FilterChain
3. request-filter-2

Thanks

Solution

The FilterChainProxy use by Spring Security is not Ordered (if it was you could order all your filters). But you should be able to register it in a FilterRegistrationBean which is Ordered and register your other filters the same way. In the case of the security filter you can inject it by name into the registration bean. The others you can probably inject by calling a @Bean method.

Answered By - Dave Syer