Filter from web.xml is not executed after migration of Spring Security

Question

I have several filter defined in my web.xml file. The problem is that after I migrated from Spring Security 3.0.5 to 3.2.5, filters declared after Spring's DelegatingFilterProxy are not executed.

...
<filter>
    <filter-name>noCacheHeaderFilter</filter-name>
    <filter-class>com.domain.web.filter.NoCacheHeaderFilter</filter-class>
</filter>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<!-- not executed bellow ->
<filter>   
    <filter-name>traceFilter</filter-name>
    <filter-class>com.domain.web.filter.TraceFilter</filter-class>
</filter>
...

Here's the Security config file:

<http auto-config="false" disable-url-rewriting="false">
    <intercept-url pattern="/server/**" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
    <intercept-url pattern="/includes/**" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
    <!--    may be needed later <intercept-url pattern="/static/**" access="IS_AUTHENTICATED_ANONYMOUSLY"/>-->
    <intercept-url pattern="/favicon.ico" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
    <intercept-url pattern="/error.html" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
    <intercept-url pattern="/" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
    <intercept-url pattern="/index.html" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
    <intercept-url pattern="/users/password" access="IS_AUTHENTICATED_ANONYMOUSLY" method="PUT"/>
    <intercept-url pattern="/test.html" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
    <intercept-url pattern="/Silverlight.js" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
    <intercept-url pattern="/ClientBin/**/*" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
    <intercept-url pattern="/help/**/*" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
    <intercept-url pattern="/components/download/**" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
    <intercept-url pattern="/**" access="ROLE_USER"/>
    <custom-filter ref="unsuccessfulBasicAuthenticationFilter" position="BASIC_AUTH_FILTER"/>
    <!--http-basic /-->
    <form-login login-processing-url="/login"
                authentication-failure-handler-ref="authenticationFailureHandlerService"
                authentication-success-handler-ref="loginSuccessHandler"/>
    <logout logout-url="/logout" success-handler-ref="logoutSuccessHandler"/>

</http>

This error happens on "*/login" url. Can someone explain what I'm doing wrong?

UPDATE

That's the code for loginSuccessHandler:

@Override
public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException, ServletException {
    if (authentication != null) {
        String redirectUrl = "";
        HttpSession session = request.getSession(false);
        if (session != null) {
            SavedRequest savedRequest = (SavedRequest) session.getAttribute("SPRING_SECURITY_SAVED_REQUEST_KEY");
            if (savedRequest != null) {
                redirectUrl = savedRequest.getRedirectUrl();
            }
        }

        User user = ((NgnmsUserDetails)(authentication.getPrincipal())).getUser();
        //if status user, do not add an event (status user is used by status script, to check if NMS is available)
        if(user != null && !user.getLogin().equals(User.STATUS_USER)) { 
            WebAuthenticationDetails details = (WebAuthenticationDetails)SecurityContextHolder.getContext().getAuthentication().getDetails();
            user.setSessionId(details.getSessionId());
            userService.updateUser(user);
            if (redirectUrl == null || !redirectUrl.contains("/ws/")){
                User.setCurrent(user);
                threadedApplicationEventPublisher.publishEvent(new UserLoginPostEvent(this, user, request.getRemoteAddr()));
            }
        }
    }
    super.onAuthenticationSuccess(request, response, authentication);
}

In debug this code returns without any problems, however no other filter from spring security's own chain after UsernamePasswordAuthenticationFilter is not called.

Here are debug output from spring security:

24-Dec-2014 12:43:23,357 DEBUG [FilterChainProxy:http-192.168.143.119-8090-1] /login at position 1 of 11 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
24-Dec-2014 12:43:23,358 DEBUG [HttpSessionSecurityContextRepository:http-192.168.143.119-8090-1] No HttpSession currently exists
24-Dec-2014 12:43:23,368 DEBUG [HttpSessionSecurityContextRepository:http-192.168.143.119-8090-1] No SecurityContext was available from the HttpSession: null. A new one will be created.
24-Dec-2014 12:43:23,370 DEBUG [FilterChainProxy:http-192.168.143.119-8090-1] /login at position 2 of 11 in additional filter chain; firing Filter: 'LogoutFilter'
24-Dec-2014 12:43:23,370 DEBUG [FilterChainProxy:http-192.168.143.119-8090-1] /login at position 3 of 11 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
24-Dec-2014 12:43:23,371 DEBUG [UsernamePasswordAuthenticationFilter:http-192.168.143.119-8090-1] Request is to process authentication
24-Dec-2014 12:43:23,372 DEBUG [ProviderManager:http-192.168.143.119-8090-1] Authentication attempt using com.domain.security.impl.springsecurity.RandTechAuthenticationProvider
24-Dec-2014 12:43:23,405 DEBUG [CompositeSessionAuthenticationStrategy:http-192.168.143.119-8090-1] Delegating to org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy@5259817a
24-Dec-2014 12:43:23,406 DEBUG [UsernamePasswordAuthenticationFilter:http-192.168.143.119-8090-1] Authentication success. Updating SecurityContextHolder to contain: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@365ec150: Principal: com.domain.security.impl.springsecurity.NgnmsUserDetails@72439ad2; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@59b2: RemoteIpAddress: 192.168.143.119; SessionId: null; Granted Authorities: ROLE_USER
24-Dec-2014 12:43:23,429 DEBUG [root:main] preRegister called. Server=com.sun.jmx.mbeanserver.JmxMBeanServer@149ee0f1, name=log4j:logger=root
24-Dec-2014 12:43:23,501 DEBUG [DefaultRedirectStrategy:http-192.168.143.119-8090-1] Redirecting to '/index.html'
24-Dec-2014 12:43:23,502 DEBUG [HttpSessionSecurityContextRepository:http-192.168.143.119-8090-1] HttpSession being created as SecurityContext is non-default
24-Dec-2014 12:43:23,505 DEBUG [HttpSessionSecurityContextRepository:http-192.168.143.119-8090-1] SecurityContext stored to HttpSession: 'org.springframework.security.core.context.SecurityContextImpl@365ec150: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@365ec150: Principal: com.domain.security.impl.springsecurity.NgnmsUserDetails@72439ad2; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@59b2: RemoteIpAddress: 192.168.143.119; SessionId: null; Granted Authorities: ROLE_USER'
24-Dec-2014 12:43:23,505 DEBUG [SecurityContextPersistenceFilter:http-192.168.143.119-8090-1] SecurityContextHolder now cleared, as request processing completed

Answer 1

This sounds normal. After processing the login request, Spring Security will call your loginSuccessHandler, which usually does a redirect and returns. Nothing in the filter chain beyond the authentication filter will be invoked (including other filters in your web.xml).