12

I have custom authentication filter which creates PreAuthenticatedAuthenticationToken and stores it in security context. This all works fine. Here is the config:

@Configuration
@EnableWebMvcSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    private SsoAuthenticationProvider authenticationProvider;

    @Autowired
    private SsoAuthenticationFilter ssoAuthenticationFilter;

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.addFilterAfter(ssoAuthenticationFilter, SecurityContextPersistenceFilter.class);
    }
}

Now my ssoAuthenticationFilter is part of the FilterChainProxy, on the right position. Smooth.

But as the ssoAuthenticationFilter is Filter it gets picked up by Boot and included as a filter. So my filter chain really looks like:

  • ssoAuthenticationFilter (included because being Filter)
  • filterChainProxy (spring autoconfiguration)
    • ...
    • SecurityContextPersistenceFilter
    • ssoAuthenticationFilter (included by http.addFilterAfter(...))
    • ...
  • some other filters

Obviously I would like to get rid of the autoregistration of the ssoAuthenticationFilter here (the first one listed).

Any tips much appreciated.

Improve this question

1 Answer 1

Reset to default
11

2 choices:

  1. Add a FilterRegistrationBean @Bean with your filter bean as its target filter and mark it as enabled=false

  2. Don't create a @Bean definition for your filter (normally that's what I do, but YMMV since you might depend on autowiring or something to get it working)

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Are there any plans to converge the Spring Security filter configuration with the Spring Boot way of doing it? I'd love to be able to set the order of my servlet filters, including being able to put one before the security filters without having to mess with the HttpSecurity
Don't think I understand that one (and it doesn't seem to add anything to the answer). Anyway, you can't do security filters as ordered beans because there can be multiple filter chains in one context.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.