Exception with (Custom) RestAuthenticationProcessingFilter Ordering

Question

I try to add Rest authentication by token to my app. I created a simple filter doing nothing else print a message :

public class RestAuthenticationProcessingFilter extends GenericFilterBean {

    @Override
    public void doFilter(ServletRequest arg0, ServletResponse arg1, FilterChain arg2) throws IOException, ServletException {
        System.out.println(arg0);
        // EDIT 25/02/2014
        arg2.doFilter(arg0,arg1);
    }
}

I'm using Spring 4.0 and Spring Security 3.2 with JavaConfig.

I added this in my adapter :

@Override
protected void configure(HttpSecurity http) throws Exception {
    /*
     * @RemarqueDev Différence entre permitAll et anonymous : permitAll
     * contient anonymous. Anonymous uniquement pour non connecté
     */
     http.addFilter(new RestAuthenticationProcessingFilter());
     http.csrf().disable().headers().disable();
     http.exceptionHandling().authenticationEntryPoint(new RestAuthenticationEntryPoint());
}

When I run jetty server, I receive this message:

Nested in org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'springSecurityFilterChain' defined in class org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration: Instantiation of bean failed; nested exception is org.springframework.beans.factory.BeanDefinitionStoreException: Factory method [public javax.servlet.Filter org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration.springSecurityFilterChain() throws java.lang.Exception] threw exception; nested exception is java.lang.IllegalArgumentException: The Filter class my.package.config.RestAuthenticationProcessingFilter does not have a registered order and cannot be added without a specified order. Consider using addFilterBefore or addFilterAfter instead.:
java.lang.IllegalArgumentException: The Filter class com.jle.athleges.config.RestAuthenticationProcessingFilter does not have a registered order and cannot be added without a specified order. Consider using addFilterBefore or addFilterAfter instead.
    at org.springframework.security.config.annotation.web.builders.HttpSecurity.addFilter(HttpSecurity.java:1122)

Why?

Answer 1

Spring defines a sorting rule for security filters, check the constructor org.springframework.security.config.annotation.web.builders.FilterComparator.
When you call

org.springframework.security.config.annotation.web.builders.HttpSecurity #When addFilter

its method will use

org.springframework.security.config.annotation.web.builders.FilterComparator

which are built-in security filter sorting rules to check whether the Filter is registered or not.

When it is not registered, it will throw

Does not have a registered order

and it will be resolved.

The method is to manually provide the registration order, call

org.springframework.security.config.annotation.web.builders.HttpSecurity#addFilterBefore

or

org.springframework.security.config.annotation.web.builders.HttpSecurity#addFilterAfter` to register a built-in filter as `Before` or `After

Please check the spring security internal filters sort https://docs.spring.io/spring-security/site/docs/5.4.2/reference/html5/#servlet-security-filters

Answer 2

addFilter:

Adds a Filter that must be an instance of or extend one of the Filters provided within the Security framework. The method ensures that the ordering of the Filters is automatically taken care of. The ordering of the Filters is:...

Your filter is not an instance or extend of the Filter within the Security framework.

What you can do however is use addFilterBefore or addFilterAfter.

For example:

addFilterBefore(new RestAuthenticationProcessingFilter(), BasicAuthenticationFilter.class)

You can find the order of the security filter chain in the docs.