Collectives™ on Stack Overflow
Find centralized, trusted content and collaborate around the technologies you use most.
Learn more about Collectives
Teams
Q&A for work
Connect and share knowledge within a single location that is structured and easy to search.
Learn more about Teams
Ask Question
I am trying to understand why do we usually need to call http.addFilterBefore(jwtAuthenticationFilter(),UsernamePasswordAuthenticationFilter.class) method in the initial configure(HttpSecurity http) method?
As i understood it will firstly add a result from jwtAuthenticationFilter() and then UsernamePasswordAuthenticationFilter but i am not sure why?
jwtAuthenticationFilter() implementation :
@Override
protected void configure(AuthenticationManagerBuilder authenticationManagerBuilder) throws Exception {
authenticationManagerBuilder.userDetailsService(customerService).passwordEncoder(bCryptPasswordEncoder());
Also is it that the security class that extends WebSecurityConfigurerAdapter will only be called once on startup?
–
–
–
Also is it that the security class that extends WebSecurityConfigurerAdapter will only be called once on startup?
Yes, configure methods will be executed(Run-Time-Polymorphism) on start up to set up HttpSecurity or configuring spring security filters.
In simple words, Spring Security is a filter based framework. Either we are enabling existing filter and configuring it or adding our custom filter.
configure() method is used to set up existing filters after setting up we can modify those filters configuration. If your modification of configuration does not fulfill your requirements then you can define your own custom filers.
To define custom filter there are three* provisions as given below
(Actually 4 addFilterAt() which is rarely used)
--------------------------------------------------------------------------------------
| java-config | xml-config |
--------------------------------------------------------------------------------------
| .addFilter() | <custom-filter position="BASIC_AUTH_FILTER"/> |
--------------------------------------------------------------------------------------
| .addFilterBefore() | <custom-filter before="LAST" /> |
--------------------------------------------------------------------------------------
| .addFilterAfter() | <custom-filter after="FIRST" /> |
--------------------------------------------------------------------------------------
In simple words.
.addFilter() You can add only instance of spring defined filters or you can add sub class of those spring security defined filters.
For example
.addFilter(customAuthFilter, UsernamePasswordAuthenticationFilter.class) customAuthFilter should be instance of UsernamePasswordAuthenticationFilter subclass or instance of UsernamePasswordAuthenticationFilter.
.addFilterAfter() and .addFilterBefore() Here filter can be any custom filter. However, the custom filter should be implementation of GenericFilterBean. In most cases, the implementation of OncePerRequestFilter will be used.
You can refer sequence of execution in spring security for detailed analysis.
–
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
