Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

HttpSecurity.addFilter* with same Filter in Different Position Places in Incorrect Location #9633

Closed
Psynbiotik opened this issue Apr 13, 2021 · 2 comments
Closed

HttpSecurity.addFilter* with same Filter in Different Position Places in Incorrect Location #9633

Psynbiotik opened this issue Apr 13, 2021 · 2 comments
Assignees
@rwinch
Labels
in: config An issue in spring-security-config status: backported An issue that has been backported to maintenance branches type: bug A general bug
Milestone
5.5.0-RC2

Comments

@Psynbiotik
Copy link

Describe the bug
When setting up HttpSecurity it is possible to end up with the wrong order for filters by calling addFilterBefore multiple times.

To Reproduce
Start standard spring boot app with a class SecurityConfiguration extends WebSecurityConfigurerAdapter, override protected void configure(HttpSecurity http) throws Exception.

Do the following:

http
... standard setup ...
.addFilterBefore( myFilter, SomeFilterAtPosition100 )
.addFilterBefore( myFilter, SomeFilterAtPosition500 )
...

Then observe the order the filters are called, myFilter should be called before SomeFilterAtPosition100 and SomeFilterAtPosition500, however you will find it is only before SomeFilterAtPosition500, and in fact it is at position 499.

You will find the same issue with addFilterAfter

Expected behavior
myFilter should be before both SomeFilterAtPosition100 and SomeFilterAtPosition500, most likely at position 99

To be clear, it should be before or after all filters as you specify in the HttpSecurity setup.

Pull request with code changes to fix this issue:
master...Psynbiotik:patch-1
@Psynbiotik Psynbiotik added status: waiting-for-triage An issue we've not yet triaged type: bug A general bug labels Apr 13, 2021
@rwinch rwinch changed the title Unintended ordering of Filters HttpSecurity.addFilter* with same Filter in Different Position Places in Incorrect Location Apr 14, 2021
@rwinch rwinch added in: config An issue in spring-security-config and removed status: waiting-for-triage An issue we've not yet triaged labels Apr 14, 2021
@rwinch rwinch self-assigned this Apr 14, 2021
@rwinch rwinch closed this as completed in a31a855 Apr 14, 2021
@rwinch rwinch added this to the 5.5.0 milestone Apr 14, 2021
@rwinch
Copy link
Member

rwinch commented Apr 14, 2021

Thanks for the report. This does seem like an issue. However, the patch does not fix the issue. Since the order is stored in a Map the second invocation with the same class overrides the order. I pushed a fix for this with tests that verify the issue is fixed.

rwinch added a commit that referenced this issue Apr 14, 2021
@rwinch
Fix HttpSecurity.addFilter* Ordering
26788a7 
Closes gh-9633
@spring-projects-issues spring-projects-issues added the status: backported An issue that has been backported to maintenance branches label Apr 14, 2021
Closed
rwinch added a commit that referenced this issue Apr 15, 2021
@rwinch
Fix HttpSecurity.addFilter* Ordering
6c5e92f 
Closes gh-9633
Closed
rwinch added a commit that referenced this issue Apr 15, 2021
@rwinch
Fix HttpSecurity.addFilter* Ordering
adf3e94 
Closes gh-9633
Closed
@jzheaux jzheaux modified the milestones: 5.5.0, 5.5.0-RC2 Apr 27, 2021
This was referenced Jun 3, 2021
Closed
Closed
akohli96 pushed a commit to akohli96/spring-security that referenced this issue Aug 25, 2021
@rwinch
Fix HttpSecurity.addFilter* Ordering
d4d335e 
Closes spring-projectsgh-9633
@skpandey91
Copy link

skpandey91 commented Dec 23, 2021
edited
Loading

Now addFilterAfter is failing to set order for already registered filter like CorsFilter.
Is at a BWC?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rwinch rwinch

Labels
in: config An issue in spring-security-config status: backported An issue that has been backported to maintenance branches type: bug A general bug
Projects
None yet
Milestone
5.5.0-RC2
Development

No branches or pull requests
5 participants
@rwinch @Psynbiotik @jzheaux @spring-projects-issues @skpandey91