Menu
I am trying to understand why do we usually need to call http.addFilterBefore(jwtAuthenticationFilter(),UsernamePasswordAuthenticationFilter.class) method in the initial configure(HttpSecurity http) method? As i understood it will firstly add a result from jwtAuthenticationFilter() and then UsernamePasswordAuthenticationFilter but i am not sure why? jwtAuthenticationFilter() implementation :
@Override
protected void configure(AuthenticationManagerBuilder authenticationManagerBuilder) throws Exception {
authenticationManagerBuilder.userDetailsService(customerService).passwordEncoder(bCryptPasswordEncoder());
}
Also is it that the security class that extends WebSecurityConfigurerAdapter will only be called once on startup?
239
addFilterBefore(filter, class) adds a filter before the position of the specified filter class. addFilterAfter(filter, class) adds a filter after the position of the specified filter class.
A HttpSecurity is similar to Spring Security's XML <http> element in the namespace configuration. It allows configuring web based security for specific http requests. By default it will be applied to all requests, but can be restricted using requestMatcher(RequestMatcher) or other similar methods.
Class AuthenticationFilterA Filter that performs authentication of a particular request. An outline of the logic: A request comes in and if it does not match setRequestMatcher(RequestMatcher) , then this filter does nothing and the FilterChain is continued.
You need to declare SecurityFilterChain and WebSecurityCustomizer beans instead of overriding methods of WebSecurityConfigurerAdapter class. NOTE: If you don't want to change your current code, you should keep Spring Boot version lower than 2.7. 0 or Spring Security version older than 5.7. 1.
- why do we usually need to call
We are configuring. not calling!
- Also is it that the security class that extends WebSecurityConfigurerAdapter will only be called once on startup?
Yes, configure methods will be executed(Run-Time-Polymorphism) on start up to set up HttpSecurity or configuring spring security filters.
In simple words, Spring Security is a filter based framework. Either we are enabling existing filter and configuring it or adding our custom filter.
configure() method is used to set up existing filters after setting up we can modify those filters configuration. If your modification of configuration does not fulfill your requirements then you can define your own custom filers.
To define custom filter there are three* provisions as given below
(Actually 4 addFilterAt() which is rarely used)
--------------------------------------------------------------------------------------
| java-config | xml-config |
--------------------------------------------------------------------------------------
| .addFilter() | <custom-filter position="BASIC_AUTH_FILTER"/> |
--------------------------------------------------------------------------------------
| .addFilterBefore() | <custom-filter before="LAST" /> |
--------------------------------------------------------------------------------------
| .addFilterAfter() | <custom-filter after="FIRST" /> |
--------------------------------------------------------------------------------------
.addFilter() You can add only instance of spring defined filters or you can add sub class of those spring security defined filters.
For example.addFilter(customAuthFilter, UsernamePasswordAuthenticationFilter.class) customAuthFilter should be instance of UsernamePasswordAuthenticationFilter subclass or instance of UsernamePasswordAuthenticationFilter.
.addFilterAfter() and .addFilterBefore() Here filter can be any custom filter. However, the custom filter should be implementation of GenericFilterBean. In most cases, the implementation of OncePerRequestFilter will be used.
You can refer sequence of execution in spring security for detailed analysis.
111
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
