natanc
Reputation: 41
Spring Boot - Multiple filter chains from dependencies
I'm having a following scenario with Spring modules A and B:
- module A - Spring module having security setup for single sign on, using @EnableOAuth2Sso, @EnableWebSecurity(debug = true) and @Order(Ordered.HIGHEST_PRECEDENCE)
- module B - Spring Boot application, has A as dependency , doesn't use any security configuration.
When I launch B, I get 2 Filter chains , first comes from module A and it's used for SSO, second comes from module B and is redundant:
- o.s.s.web.DefaultSecurityFilterChain : Creating filter chain: AnyRequestMatcher@1, [WebAsyncManagerIntegrationFilter@1407b93f, SecurityContextPersistenceFilter@38241615, OAuth2ClientContextFilter@31a8c3a3, HeaderWriterFilter@6bf2ecbb, LogoutFilter@6cc022ac, OAuth2ClientAuthenticationProcessingFilter@5aff8207, BasicAuthenticationFilter@42eaf47f, RequestCacheAwareFilter@42fc744, SecurityContextHolderAwareRequestFilter@6eeb15f9, AnonymousAuthenticationFilter@6a5a99d9, SessionManagementFilter@5955568, ExceptionTranslationFilter@74ec4df3, FilterSecurityInterceptor@6a577564]
- o.s.s.web.DefaultSecurityFilterChain : Creating filter chain: AnyRequestMatcher@1, [WebAsyncManagerIntegrationFilter@138110f8, SecurityContextPersistenceFilter@6278371a, HeaderWriterFilter@6b61a4b0, LogoutFilter@30623109, RequestCacheAwareFilter@c6a1be2, SecurityContextHolderAwareRequestFilter@6a486afb, AnonymousAuthenticationFilter@4fe8ac61, SessionManagementFilter@5c00de0d, ExceptionTranslationFilter@32db94fb]
Problems:
- how can I disable default filter chain that has no use?
- debug flag of module A - @EnableWebSecurity(debug = true) , is ignored when running module B and I'm not able to debug the security setup
- is it possible to "extend" the chain of A and add more filters in B ?
Upvotes: 3
Views: 1060
Answers (1)
nalas
Reputation: 85
This is old but I had the same issue and solved it by adding the @EnableWebSecurity annotation to module A and this to the module B:s @SpringBootApplication:
@SpringBootApplication(exclude = { SecurityAutoConfiguration.class })
If you want to know why then google "SecurityAutoConfiguration" for more information about Springs security default behaviour.
Upvotes: 0
Related Questions
- Spring custom filters one after each other in the filter chain
- Controlling the order of non-security Filters in a Spring Boot app using Spring Security
- Multiple WebSecurityConfigurerAdapter and Filter Chains
- Invoke a filter before spring security filter chain in boot
- Springboot with multiple filters
- How to set up filter chain in spring boot?
- Filter ordering with spring security and spring boot
- Spring Security filterChainProxy ?!?! Declare all the filter to use only one custom filter?
- Spring configuration with filter chain
- Spring Custom filter chain