CODEWITHSUNDEEP
javaspringspring-bootspring-securityspring-security-oauth2
Sheel
Sheel

Reputation: 1030

Spring Security OAuth2 disable BasicAuthenticationFilter from default filter chain

In Authorization Server, need to add custom BasicAuthenticationFilter due to some manipulation of client id. Mostly implementation is same as BasicAuthenticationFilter. Following is snippet of same,

@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain) {
    ...
    ...
    String username = someDecoder(tokens[0]); // Kind of something
    ...
    ...
}

And my custom filter placed before BasicAuthenticationFilter in filter chain.

http.addFilterBefore(new CustomBasicAuthenticationFilter(authenticationManager(), authenticationEntryPoint()),
    BasicAuthenticationFilter.class);

This custom filter working as awesome and user also get authenticated successfully. But due to BasicAuthenticationFilter still present in chain, this filter is also get executed and try to authenticate user again but fails because of not manipulated client credentials. See BasicAuthenticationFilter-GitHub

So to remove/disable BasicAuthenticationFilter from filter chain followed this SOQ, where suggested to use BeanPostProcessor. But in Spring Boot filter chain registered with bean name springSecurityFilterChain and class FilterChainProxy. As FilterChainProxy-GitHub returning unmodifiable list of SecurityFilterChain. So its next impossible to alter FilterChainProxy bean.

So how to achieve same or any other way to remove/disable BasicAuthenticationFilter or any other filter from Spring Security Filter chain.

Using Spring Boot 1.5.1 and Spring Security OAuth2 2.0.12

Upvotes: 5

Views: 5424

Answers (1)

Mario
Mario

Reputation: 173

I think you can use this other answer: https://stackoverflow.com/a/28428154/2648577

---- >>> this is a copy/paste (changing filter name).

By default Spring Boot creates a FilterRegistrationBean for every Filter in the application context for which a FilterRegistrationBean doesn't already exist. This allows you to take control of the registration process, including disabling registration, by declaring your own FilterRegistrationBean for the Filter. For your BasicAuthenticationFilter the required configuration would look like this:

@Bean
public FilterRegistrationBean registration(BasicAuthenticationFilter filter) {
  FilterRegistrationBean registration = new FilterRegistrationBean(filter);
  registration.setEnabled(false);
  return registration;
}

You may also be interested in this Spring Boot issue which discusses how to disable the automatic registration of Filter and Servlet beans.

Upvotes: 0

Related Questions