Reputation: 25265
Why is my (Spring Security) servlet filter getting called twice?
Any ideas about why doFilterHttp in my SpringSecurityFilter subclass is getting called twice on each request? I don't really know where to start looking. Feeling a little stumped.
I'm reverse engineering a vacationing co-worker's code. To the best I can figure it, here's the relevant configuration:
in web.xml:
<filter>
<filter-name>userSecurityFilter</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>userSecurityFilter</filter-name>
<url-pattern>*.do</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>userSecurityFilter</filter-name>
<url-pattern>/json/*</url-pattern>
In spring-security.xml:
<!-- Create the filter chains for developers, users and services -->
<bean id="userSecurityFilter" class="org.springframework.security.util.FilterChainProxy">
<security:filter-chain-map path-type="ant">
<security:filter-chain pattern="/**/json/*" filters="AuthFilter,anonymousProcessingFilter,exceptionTranslationFilter,filterInvocationInterceptor"/>
<security:filter-chain pattern="/**/*.do" filters="AuthFilter,anonymousProcessingFilter,exceptionTranslationFilter,filterInvocationInterceptor"/>
<security:filter-chain pattern="/**" filters="anonymousProcessingFilter,logoutFilter,exceptionTranslationFilter,filterInvocationInterceptor"/>
</security:filter-chain-map>
</bean>
It looks like the /**/json/* urls are getting the filter chain applied twice, while others only get it once. I'm going to go back and check to make sure what I just said is really true.
Upvotes: 2
Views: 10558
Answers (3)
Reputation: 25265
Ok, fixed it I think.
<filter-mapping>
<filter-name>userSecurityFilter</filter-name>
<url-pattern>*.do</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>userSecurityFilter</filter-name>
<url-pattern>/json/*</url-pattern>
There are urls under /json/ that end in ".do", so those urls were getting all of the Spring Security stuff applied twice. Thanks for the responses! Even though it was a dumb problem and I answered it myself, working through the reponses led me to the answer. Much appreciated.
Upvotes: 2
Reputation: 9855
Spring Security filters are not configured in the web.xml like classic Servlet Filters. They are instead configured somewhere in the application-context.xml (or whatever .xml configuration files you import in your web.xml).
Look for beans with a tag like this :
<custom-filter position="LAST" />
adding that tag to a bean will add it to your Spring Security filter chain. My guess is that it's added to the chain properly and also added as a Servlet Filter as shown above. Hence it's actually configured twice.
Upvotes: 0
Reputation: 28059
Not much to go on here, but it may be that servlet container is processing several dispatchers, look in web.xml for:
<filter-mapping>
<filter-name>securityFilter</filter-name>
<url-pattern>/*</url-pattern>
<!-- the following is optional, but some containers give the wrong default -->
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
Can you post the filter-mapping from your web.xml?
Upvotes: 1
Related Questions
- Spring security custom filter called twice for REST Controller
- Spring security custom filter called multiple times
- Custom Spring filter causing next filter in chain not to fire?
- Spring boot filter called twice or not called at all
- Spring Security Custom Filter gets called Multiple times
- Spring Security Filter chain executed twice per request. Why?
- doFilter method called multiple times when an error is throw in a custom Servlet Filter
- Cannot override or disable spring boot-instantiated Filter, resulting in duplicate entries in filter chain
- Spring custom filter execute only 1 time on specified url
- Why does my Servlet Filter run twice?