Skip to content

Spring Security FilterChainProxy is registered automatically as a Filter #2171

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
cemo opened this issue Dec 16, 2014 · 4 comments
Closed

Spring Security FilterChainProxy is registered automatically as a Filter #2171

cemo opened this issue Dec 16, 2014 · 4 comments

Comments

@cemo
Copy link
Contributor

cemo commented Dec 16, 2014

Spring Security is exposing a Filter which registered by Spring Boot. This results in a duplicate filter registration and unpredictable behaviour of our application.

Details:

org.springframework.security.config.annotation.web.servlet.configuration.EnableWebMvcSecurity is registering a FilterChainProxy instance bean which is a Filter as this:

    @Bean(name=AbstractSecurityWebApplicationInitializer.DEFAULT_FILTER_NAME)
    public Filter springSecurityFilterChain() throws Exception {
        boolean hasConfigurers = webSecurityConfigurers != null && !webSecurityConfigurers.isEmpty();
        if(!hasConfigurers) {
            throw new IllegalStateException("At least one non-null instance of "+ WebSecurityConfigurer.class.getSimpleName()+" must be exposed as a @Bean when using @EnableWebSecurity. Hint try extending "+ WebSecurityConfigurerAdapter.class.getSimpleName());
        }
        return webSecurity.build();
    }

I have declared a FilterRegistrationBean a FilterRegistrationBean as here: org.springframework.boot.autoconfigure.security.SpringBootWebSecurityConfiguration#securityFilterChainRegistration

   @Bean
   @ConditionalOnBean(name = AbstractSecurityWebApplicationInitializer.DEFAULT_FILTER_NAME)
   public FilterRegistrationBean securityFilterChainRegistration( ) {
      DelegatingFilterProxy delegatingFilterProxy = new DelegatingFilterProxy();
      delegatingFilterProxy.setTargetBeanName(AbstractSecurityWebApplicationInitializer.DEFAULT_FILTER_NAME);
      FilterRegistrationBean registrationBean = new FilterRegistrationBean(delegatingFilterProxy);
      registrationBean.addUrlPatterns("/*");
      return registrationBean;
   }

This seems a bug to me. Am I missing something?
@cemo cemo mentioned this issue Dec 16, 2014
Closed
@philwebb philwebb added this to the 1.2.1 milestone Dec 16, 2014
@dsyer
Copy link
Member

dsyer commented Dec 17, 2014

What were you trying to do with the FilterRegistrationBean? If you just want to control the registration of the security filter then you need to make its filter the actual security filter, not a delegating proxy. I don't know what we would change for 1.2.1 unless I'm missing something.

@philwebb philwebb added the status: waiting-for-feedback We need additional information before we can continue label Dec 17, 2014
@cemo
Copy link
Contributor Author

cemo commented Dec 17, 2014

My problem resolved.

For those of you who are interested in my problem, I added

registrationBean.setName(AbstractSecurityWebApplicationInitializer.DEFAULT_FILTER_NAME);

This prevents registering actual filter on startup. Spring Boot calls every org.springframework.boot.context.embedded.ServletContextInitializer on startup. For FilterRegistrationBean's it checks both filter status enabled and then tries to add. For filters already registered with same name return null.

By the way I had to use DelegatingFilterProxy because of early initialising is causing an error in my application. I had to use it for delegating to a later phase.

Shortly, I think that It would be great to add this sections clearly in documentation. It would help really a lot.

Thanks for your time guys.

@cemo cemo closed this as completed Dec 17, 2014
@dsyer dsyer removed the status: waiting-for-feedback We need additional information before we can continue label Dec 17, 2014
@philwebb philwebb removed this from the 1.2.1 milestone Dec 17, 2014
@dsyer dsyer reopened this Dec 17, 2014
@dsyer
Copy link
Member

dsyer commented Dec 17, 2014

That doesn't seem like a great resolution. If you can provide a simple test project that demonstrates the problem, we might be able to have a more productive discussion.

@cemo
Copy link
Contributor Author

cemo commented Dec 17, 2014

You are right, I will provide tomorrow.

@cemo cemo closed this as completed Nov 16, 2015
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@cemo @dsyer @philwebb