Exception with (Custom) RestAuthenticationProcessingFilter Ordering

Question

I try to add Rest authentication by token to my app. I created a simple filter doing nothing else print a message :

public class RestAuthenticationProcessingFilter extends GenericFilterBean {

    @Override
    public void doFilter(ServletRequest arg0, ServletResponse arg1, FilterChain arg2) throws IOException, ServletException {
        System.out.println(arg0);
        // EDIT 25/02/2014
        arg2.doFilter(arg0,arg1);
    }
}

I'm using Spring 4.0 and Spring Security 3.2 with JavaConfig.

I added this in my adapter :

@Override
protected void configure(HttpSecurity http) throws Exception {
    /*
     * @RemarqueDev Différence entre permitAll et anonymous : permitAll
     * contient anonymous. Anonymous uniquement pour non connecté
     */
     http.addFilter(new RestAuthenticationProcessingFilter());
     http.csrf().disable().headers().disable();
     http.exceptionHandling().authenticationEntryPoint(new RestAuthenticationEntryPoint());
}

When I run jetty server, I receive this message:

Nested in org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'springSecurityFilterChain' defined in class org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration: Instantiation of bean failed; nested exception is org.springframework.beans.factory.BeanDefinitionStoreException: Factory method [public javax.servlet.Filter org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration.springSecurityFilterChain() throws java.lang.Exception] threw exception; nested exception is java.lang.IllegalArgumentException: The Filter class my.package.config.RestAuthenticationProcessingFilter does not have a registered order and cannot be added without a specified order. Consider using addFilterBefore or addFilterAfter instead.:
java.lang.IllegalArgumentException: The Filter class com.jle.athleges.config.RestAuthenticationProcessingFilter does not have a registered order and cannot be added without a specified order. Consider using addFilterBefore or addFilterAfter instead.
    at org.springframework.security.config.annotation.web.builders.HttpSecurity.addFilter(HttpSecurity.java:1122)

Why?

Answer 1

addFilter:

Adds a Filter that must be an instance of or extend one of the Filters provided within the Security framework. The method ensures that the ordering of the Filters is automatically taken care of. The ordering of the Filters is:...

Your filter is not an instance or extend of the Filter within the Security framework.

What you can do however is use addFilterBefore or addFilterAfter.

For example:

addFilterBefore(new RestAuthenticationProcessingFilter(), BasicAuthenticationFilter.class)

You can find the order of the security filter chain in the docs.

Answer 2

Spring defines a sorting rule for security filters, check the constructor org.springframework.security.config.annotation.web.builders.FilterComparator. when you call org.springframework.security.config.annotation.web.builders.HttpSecurity# When addFilter, its method will use org.springframework.security.config.annotation.web.builders.FilterComparator built-in security filter sorting rules to check whether the Filter is registered. When it is not registered, it will throw "does not have a registered order", and it will be resolved. The method is to manually provide the registration order, call org.springframework.security.config.annotation.web.builders.HttpSecurity#addFilterBefore or org.springframework.security.config.annotation.web.builders.HttpSecurity#addFilterAfter to register in a built-in filter Before or after. please chcek the spring security internal filters sort "https://docs.spring.io/spring-security/site/docs/5.4.2/reference/html5/#servlet-security-filters". -- Please forgive me if I can't write well in English.