I have a Spring Boot WebMVC application, and a bean that inherits from AbstractPreAuthenticatedProcessingFilter which I am explicitly adding to a specific spot in the Spring Security filter chain. My Spring Security configuration looks like this:
<http pattern="/rest/**"> <intercept-url pattern="/**" access="ROLE_USER"/> <http-basic/> <custom-filter after="BASIC_AUTH_FILTER" ref="preAuthenticationFilter"/> </http> <beans:bean id="preAuthenticationFilter" class="a.b.PreAuthenticationFilter"> <beans:property name="authenticationManager" ref="customAuthenticationManager"/> </beans:bean>
The security configuration works. The problem is, because the PreAuthenticationFilter class inherits from AbstractPreAuthenticatedProcessingFilter, Spring Boot treats it as a general purpose servlet filter and is adding it to the servlet filter chain for all requests. I don't want this filter to be part of the filter chain for all requests. I only want it to be part of the specific Spring Security filter chain that I've configured. Is there a way to prevent Spring Boot from automatically adding the preAuthenticationFilter bean to the filter chain?
By default Spring Boot creates a FilterRegistrationBean
for every Filter
in the application context for which a FilterRegistrationBean
doesn't already exist. This allows you to take control of the registration process, including disabling registration, by declaring your own FilterRegistrationBean
for the Filter
. For your PreAuthenticationFilter
the required configuration would look like this:
@Bean public FilterRegistrationBean registration(PreAuthenticationFilter filter) { FilterRegistrationBean registration = new FilterRegistrationBean(filter); registration.setEnabled(false); return registration; }
You may also be interested in this Spring Boot issue which discusses how to disable the automatic registration of Filter
and Servlet
beans.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With