10

I am using spring-security-oauth2 in IDP mode and spring-boot. I need to do some work before the oauth token is extracted from the request. How do I add a filter before OAuth2AuthenticationProcessingFilter?

I have tried:

@Configuration
@EnableResourceServer
public class OAuth2ResourceServerConfigurerAdapter extends ResourceServerConfigurerAdapter {

    @Override
    public void configure(HttpSecurity http) throws Exception {

        http.authorizeRequests().anyRequest().authenticated().and()
                .addFilterBefore(new MyFilter(), OAuth2AuthenticationProcessingFilter.class);
    }

}

But I get the following exception:

java.lang.IllegalArgumentException: Cannot register after unregistered Filter class org.springframework.security.oauth2.provider.authentication.OAuth2AuthenticationProcessingFilter

I guess this might be because @EnableResourceServer is executed after configure(HttpSecurity http).

Improve this question
5
  • Could you add any interceptor instead of filter ? Commented Oct 18, 2017 at 4:30
  • I am using these filters in multiple WebSecurityConfigs. As long as Interceptors allow this I should be able to use them. I also need to control the order in which the filter runs (TenantFilter runs before JwtFilter which in turn runs before WebAsyncManagerIntegrationFilter etc.). I also need to be able to selectively use different Interceptors for different WebSecurityConfigs. Is this possible with Interceptors? Can you provide an example? Commented Oct 18, 2017 at 5:21
  • This may be help for you. stackoverflow.com/q/11586757/4423636 Commented Oct 18, 2017 at 6:36
  • 1
    @jax Did you solve this? I have the exact same problem, and it only ends up with anti-patterns and ugly stuff :( I'd like to be able to add a filter, once the filterchain has been created by @EnableResourceServer. Commented Nov 6, 2018 at 16:52
  • @jax Have you resolve the issue? Commented Jan 19, 2019 at 0:38

2 Answers 2

Reset to default
6

I achieved desired functional by doing this

                .addFilterBefore(new MyTokenFilter(), AbstractPreAuthenticatedProcessingFilter.class)
Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Hi, why does it works?
2

The following worked for me

   @Override
   public void configure(HttpSecurity http) throws Exception {
       http
         .addFilterBefore(new MyFilter(), AbstractPreAuthenticatedProcessingFilter.class)
         .authorizeRequests().anyRequest().fullyAuthenticated()
       ;
   }

Result

Security filter chain: [
  WebAsyncManagerIntegrationFilter
  SecurityContextPersistenceFilter
  HeaderWriterFilter
  LogoutFilter
  MyFilter
  OAuth2AuthenticationProcessingFilter
  RequestCacheAwareFilter
  SecurityContextHolderAwareRequestFilter
  AnonymousAuthenticationFilter
  SessionManagementFilter
  ExceptionTranslationFilter
  FilterSecurityInterceptor
]
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.