Menu
How can I specify order of my Filter in spring-boot? I need to insert my MDC filter after Spring Security filter. I tried almost everything but my filter was always first. This didn't work:
@Bean @Order(Ordered.LOWEST_PRECEDENCE) public UserInsertingMdcFilter userInsertingMdcFilter() { return new UserInsertingMdcFilter(); } This didn't work too:
@Bean public FilterRegistrationBean userInsertingMdcFilterRegistrationBean() { FilterRegistrationBean registrationBean = new FilterRegistrationBean(); UserInsertingMdcFilter userFilter = new UserInsertingMdcFilter(); registrationBean.setFilter(userFilter); registrationBean.setOrder(Integer.MAX_VALUE); return registrationBean; } 
275
Spring Security maintains a filter chain internally where each of the filters has a particular responsibility and filters are added or removed from the configuration depending on which services are required. The ordering of the filters is important as there are dependencies between them.
In Spring boot, we have filters to filter the HTTP request; filter, in general, is used to intercept the request, i.e. HTTP request and the response from the client-side. By the use of a filter, we can perform two operations which can be done on response and request.
There are three ways to add your filter, Annotate your filter with one of the Spring stereotypes such as @Component. Register a @Bean with Filter type in Spring @Configuration. Register a @Bean with FilterRegistrationBean type in Spring @Configuration.
Guys from Spring helped again. See https://github.com/spring-projects/spring-boot/issues/1640 and https://jira.spring.io/browse/SEC-2730
Spring Security doesn't set an order on the Filter bean that it creates. This means that, when Boot is creating a FilterRegistrationBean for it, it gets the default order which is LOWEST_PRECEDENCE.
If you want your own Filter to go after Spring Security's you can create your own registration for Spring Security's filter and specify the order.
So the answer to my question is:
@Bean public FilterRegistrationBean securityFilterChain(@Qualifier(AbstractSecurityWebApplicationInitializer.DEFAULT_FILTER_NAME) Filter securityFilter) { FilterRegistrationBean registration = new FilterRegistrationBean(securityFilter); registration.setOrder(Integer.MAX_VALUE - 1); registration.setName(AbstractSecurityWebApplicationInitializer.DEFAULT_FILTER_NAME); return registration; } @Bean public FilterRegistrationBean userInsertingMdcFilterRegistrationBean() { FilterRegistrationBean registrationBean = new FilterRegistrationBean(); UserInsertingMdcFilter userFilter = new UserInsertingMdcFilter(); registrationBean.setFilter(userFilter); registrationBean.setOrder(Integer.MAX_VALUE); return registrationBean; } This was fixed in Spring Boot 1.2. The security chain now defaults to order 0.
It can also be set via properties:
security.filter-order=0 # Security filter chain order. https://github.com/spring-projects/spring-boot/issues/1640
28
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
