1 year ago
#66632
samshers
In Spring security filter chain, why i don't see all the filters in the chain (more specifically UsernamePasswordAuthenticationFilter)?
From this spring docs -
5.x -> https://docs.spring.io/spring-security/site/docs/5.2.1.RELEASE/reference/htmlsingle/#filter-stack
(seems 5.x added more filters to the chain then in 3.x. Or something else I should be aware, comments are welcome)
and from this doc
3.x -> https://docs.spring.io/spring-security/site/docs/3.0.x/reference/security-filter-chain.html
I see the below filters will be added to security chain (as per 5.x) -
ChannelProcessingFilter
SecurityContextPersistenceFilter
ConcurrentSessionFilter
HeaderWriterFilter
CsrfFilter
LogoutFilter
X509AuthenticationFilter
AbstractPreAuthenticatedProcessingFilter
CasAuthenticationFilter
UsernamePasswordAuthenticationFilter
BasicAuthenticationFilter
SecurityContextHolderAwareRequestFilter
JaasApiIntegrationFilter
RememberMeAuthenticationFilter
AnonymousAuthenticationFilter
SessionManagementFilter
ExceptionTranslationFilter
FilterSecurityInterceptor
SwitchUserFilter
May be few of the above filters will be added only based on additional configuration, like loading or presence of other classes. So I am not expecting all of the above filters to be present in the security chain of the application.
On looking at my application log (i am using spring security - 5.2.2), i see below -
23:10:50.354 [main] INFO org.springframework.security.web.DefaultSecurityFilterChain - Creating filter chain: any request, [mycorp.commons.rest.bean.OncePerFilterTest@3071d086, org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@20711b02, org.springframework.security.web.context.SecurityContextPersistenceFilter@539953af, org.springframework.security.web.header.HeaderWriterFilter@345f4e0d, org.springframework.security.web.authentication.logout.LogoutFilter@6ea1fc9, mycorp.rest.jwt.MyJwtTokenFilter@52d9a150, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@3678f32e, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@645b67d6, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@476a38d9, org.springframework.security.web.session.SessionManagementFilter@14a3a66c, org.springframework.security.web.access.ExceptionTranslationFilter@683218c8, org.springframework.security.web.access.intercept.FilterSecurityInterceptor@6f87bc6c]
Above log with one filter per line is as below -
mycorp.commons.rest.bean.OncePerFilterTest@3071d086,
org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@20711b02,
org.springframework.security.web.context.SecurityContextPersistenceFilter@539953af,
org.springframework.security.web.header.HeaderWriterFilter@345f4e0d,
org.springframework.security.web.authentication.logout.LogoutFilter@6ea1fc9,
mycorp.rest.jwt.MyJwtTokenFilter@52d9a150,
org.springframework.security.web.savedrequest.RequestCacheAwareFilter@3678f32e,
org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@645b67d6,
org.springframework.security.web.authentication.AnonymousAuthenticationFilter@476a38d9,
org.springframework.security.web.session.SessionManagementFilter@14a3a66c,
org.springframework.security.web.access.ExceptionTranslationFilter@683218c8,
org.springframework.security.web.access.intercept.FilterSecurityInterceptor@6f87bc6c
I see two addtional filters -> WebAsyncManagerIntegrationFilter, RequestCacheAwareFilter in the chain. I am thinking that some other code has added these filters to the chain just like I have added my own OncePerFilterTest and MyJwtTokenFilter to the chain. If this is right, then I am fine else please correct.
Next, in my BaseWebSecurityConfig extends WebSecurityConfigurerAdapter --> configure(HttpSecurity http) method, i have added below
http.addFilterBefore(jwtTokenFilter, UsernamePasswordAuthenticationFilter.class);
http.addFilterBefore(oncePerFilterTest, ChannelProcessingFilter.class);
I was expecting ChannelProcessingFilter and UsernamePasswordAuthenticationFilter to be present in filter chain. But since they are not there, i will assume that spring security determined that there is no need of these filters based on configuration and avoided loading them.
So, I want to know what is the requirement for loading -
- ChannelProcessingFilter
- UsernamePasswordAuthenticationFilter ( I am more interested in details about this filter).
spring
spring-boot
spring-security
spring-security-rest
0 Answers
Your Answer