相关文章推荐
英勇无比的野马  ·  Excel新函数Choosecols与Cho ...·  1 月前    · 
自信的可乐  ·  数据库索引原理及优化 - 知乎·  1 年前    · 
仗义的竹笋  ·  使用JPA和Hibernate进行批量处理的 ...·  1 年前    · 
坚强的柿子  ·  Junit单元测试多线程的问题 - ...·  1 年前    · 
激动的手套  ·  面试官:请实现单行文本居中,多行文本左对齐? ...·  1 年前    · 
Code  ›  java - Filter order in spring-boot - Stack Overflow
https://stackoverflow.com/questions/25957879/filter-order-in-spring-boot
鼻子大的肉夹馍
1 年前
Collectives™ on Stack Overflow

Find centralized, trusted content and collaborate around the technologies you use most.

Learn more about Collectives

Teams

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

Learn more about Teams

How can I specify order of my Filter in spring-boot? I need to insert my MDC filter after Spring Security filter. I tried almost everything but my filter was always first. This didn't work: 

@Bean
@Order(Ordered.LOWEST_PRECEDENCE)
public UserInsertingMdcFilter userInsertingMdcFilter() {
    return new UserInsertingMdcFilter();

This didn't work too:


@Bean
public FilterRegistrationBean userInsertingMdcFilterRegistrationBean() {
    FilterRegistrationBean registrationBean = new FilterRegistrationBean();
    UserInsertingMdcFilter userFilter = new UserInsertingMdcFilter();
    registrationBean.setFilter(userFilter);
    registrationBean.setOrder(Integer.MAX_VALUE);
    return registrationBean;
                @Order(Ordered.LOWEST_PRECEDENCE + 100) will not work because Ordered.LOWEST_PRECEDENCE = Integer.Max and  Integer.Max + 100 = some negative number, this would mean a very high precedence
– Ralph
                Sep 21, 2014 at 9:57
                Possible duplicate of How to define Servlet filter order of execution in Spring Boot application
– OrangeDog
                Apr 15, 2016 at 16:49

Guys from Spring helped again. See https://github.com/spring-projects/spring-boot/issues/1640 and https://jira.spring.io/browse/SEC-2730

  
Spring Security doesn't set an order on the Filter bean that it
  creates. This means that, when Boot is creating a
  FilterRegistrationBean for it, it gets the default order which is
  LOWEST_PRECEDENCE.

  
If you want your own Filter to go after Spring Security's you can
  create your own registration for Spring Security's filter and specify
  the order.


So the answer to my question is:


@Bean
public FilterRegistrationBean securityFilterChain(@Qualifier(AbstractSecurityWebApplicationInitializer.DEFAULT_FILTER_NAME) Filter securityFilter) {
    FilterRegistrationBean registration = new FilterRegistrationBean(securityFilter);
    registration.setOrder(Integer.MAX_VALUE - 1);
    registration.setName(AbstractSecurityWebApplicationInitializer.DEFAULT_FILTER_NAME);
    return registration;
@Bean
public FilterRegistrationBean userInsertingMdcFilterRegistrationBean() {
    FilterRegistrationBean registrationBean = new FilterRegistrationBean();
    UserInsertingMdcFilter userFilter = new UserInsertingMdcFilter();
    registrationBean.setFilter(userFilter);
    registrationBean.setOrder(Integer.MAX_VALUE);
    return registrationBean;
                See also discussion in github.com/spring-projects/spring-boot/issues/677 and github.com/spring-projects/spring-boot/issues/1640
– Hendy Irawan
                Jun 20, 2015 at 7:41
                Given HIGHEST_PRECEDENCE = -2147483648 and LOWEST_PRECEDENCE = 2147483647 I would assume lowest precedence would go last? Everything would go before it?
– ianstarz
                May 19, 2018 at 16:58
                It should go last. From JavaDoc of @Order: Lower values have higher priority. The default value is Ordered.LOWEST_PRECEDENCE, indicating lowest priority (losing to any other specified order value).
– lrxw
                Jun 6, 2018 at 6:56

Here's an answer compatible with Spring Boot 2 / Spring Security 5 that will allow you to insert your filter in an arbitrary place in the filter chain.


My use case was a custom logging javax.servlet.Filter that I wanted to execute  before any Spring Security filters; however the below steps should allow you to put a filter anywhere in your existing Spring filter chain:


Step 1: Find out the order of Spring filters in your existing setup.


Connect your favorite remote debugger to your application, and set a breakpoint in the doFilter(ServletRequest request, ServletResponse response) method of org.springframework.security.web.FilterChainProxy. As of Spring Security 5.1.6, that is line 311. In your debugger, find out the existing filters by inspecting this.additionalFilters. In my application, the order was something like:


0: WebAsyncManagerIntegrationFilter
1: SecurityContextPersistenceFilter
2: HeaderWriterFilter

Step 2: Insert your filter in the desired place using Spring's WebSecurityConfigurerAdapter and HttpSecurity


You likely already have a WebSecurityConfigurerAdapter with a @Override configure(HttpSecurity http) method. HttpSecurity exposes addFilterBefore and addFilterAfter methods to allow you to place your filter relative to an existing class in the chain. Your filter (instance) is the first argument of these methods, and the class of the filter you'd like to insert before or after is the second argument.


In my case, I wanted my custom logging filter to be first in the chain (my code snippet is Kotlin, I'll leave the Java implementation to you):


override fun configure(http: HttpSecurity) {
        .addFilterBefore(MyCustomLoggingFilter(), WebAsyncManagerIntegrationFilter::class.java)
        .authorizeRequests()
        .antMatchers(

Step 3: Profit!


Use the debugging method described in Step 1 above to verify that your filter is where you intended in the filter chain.


Hope this helps someone else out there.


This was fixed in Spring Boot 1.2. The security chain now defaults to order 0.


It can also be set via properties:


security.filter-order=0 # Security filter chain order.

https://github.com/spring-projects/spring-boot/issues/1640

                In Spring Boot 1.3.x it is SecurityProperties.DEFAULT_FILTER_ORDER and is FilterRegistrationBean.REQUEST_WRAPPER_FILTER_MAX_ORDER	- 100 or simply -100.
– gavenkoa
                Jul 18, 2017 at 20:54

Note that the Spring Security filter chain is not all there is when it comes to filters. In fact, there is a complete (non-security) filter chain at work, with one of the filters being an instance of DelegatingFilterProxy which (nomen est omen) delegates to another filter called FilterChainProxy which manages its own sublist of filters, all geared towards security related topics. This pattern has the advantage that all security filters are in one place and ordered correctly with respect to each other. This however doesn't help you at all if you need a filter to be executed either before or after all security filters. While it is true that you can configure this using the HttpSecurity object by selecting either the first or last filter in that list, it is logically weird, since chances are your filter has nothing at all to do with security. If you set a breakpoint in DelegatingFilterProxy::doFilter(ServletRequest, ServletResponse, FilterChain) you will see the entire filter chain of the application. You can even drill into the FilterChainProxy to find all the spring security filters if you want to. Then you can open the relevant classes one by one to find out their configured orders. Once you know, where your filter ought to be, you can annotate it.


If for example you need to configure a logging filter and you want to log all security failures (needs to go before FilterChainProxy) but also want a useful tracing ID (needs to go after LazyTracingFilter which has a configured default order of TraceHttpAutoConfiguration.TRACING_FILTER_ORDER = Ordered.HIGHEST_PRECEDENCE + 5) you can annotate your filter with @Order(Ordered.HIGHEST_PRECEDENCE + 6).

                This does not provide an answer to the question. Once you have sufficient reputation you will be able to comment on any post; instead, provide answers that don't require clarification from the asker. - From Review
– Hanchen Jiang
                Jan 1, 2022 at 22:51

in your first case ,it is a error config,and spring's docs has special reminder :


You cannot configure the order of a Filter by annotating its bean method with @Order.


and you can find from this: https://docs.spring.io/spring-boot/docs/current/reference/html/spring-boot-features.html#boot-features-embedded-container-servlets-filters-listeners-beans

        
Thanks for contributing an answer to Stack Overflow!
  • Please be sure to answer the question. Provide details and share your research!
But avoid
  • Asking for help, clarification, or responding to other answers.
  • Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.

				Spring Security Filters list as shown in DefaultSecurityFilterChain are different from Spring document
                See more linked questions
 
推荐文章
英勇无比的野马  ·  Excel新函数Choosecols与Chooserows玩法_数组_结构_模板
1 月前
自信的可乐  ·  数据库索引原理及优化 - 知乎
1 年前
仗义的竹笋  ·  使用JPA和Hibernate进行批量处理的最佳方式 - 林本托 - 博客园
1 年前
坚强的柿子  ·  Junit单元测试多线程的问题 - Mr.Yanphet - 博客园
1 年前
激动的手套  ·  面试官:请实现单行文本居中,多行文本左对齐?_51CTO博客_文本左对齐怎么设置
1 年前
今天看啥   ·   Py中国   ·   codingpro   ·   藏经阁   ·   小百科   ·   link之家   ·   卧龙AI搜索
删除内容请联系邮箱 2879853325@qq.com
Code - 代码工具平台
© 2024 ~ 沪ICP备11025650号