Spring Security Issue with Java configuration and custom filters in SpringSecurityFilterChain

Summary

I have a problem adding multiple custom filters into SpringSecurityFilterChain using Java configuration because filters end up in the wrong order in the security filter chain. I didn't have the problem when xml configuration was used. When Spring Security is configured via xml, filter beans are also proxies, but they are placed correctly. So the only conclusion is that Java configuration and methods for adding filter into chain is wrong.

Actual Behavior

I have several custom filters in and want to add them in SpringSecurityFilterChain in specific order. I define filters using @bean method level annotation and override method for http security configuration: ` @configuration @enableresourceserver public static class CustomSecurityConfiguration extends ResourceServerConfigurerAdapter { ...

@Bean public Filter filter1() { return new Filter1(); } @Bean public Filter filter2() { return new Filter2(); } @Bean public Filter filter3() { return new Filter3(); } @Bean public Filter filter4() { return new Filter4(); }

@Override public void configure(HttpSecurity http) throws Exception { ... http.addFilterBefore(filter1(), ChannelProcessingFilter.class) .addFilterBefore(filter2(), HeaderWriterFilter.class) .addFilterBefore(filter3(), AbstractPreAuthenticatedProcessingFilter.class) .addFilterAfter(filter4(), AbstractPreAuthenticatedProcessingFilter.class); ... } ... } `

When request comes, SpringSecurityFilter chain has my custom filters, but they are all positioned one after the other and not following specified positions.

Expected Behavior

I would expect that filters are ordered as they are configured.

It looks like the reason is that my implementation uses default JDK interface based proxies, and my custom filters represent the same proxy around Filter interface. So when calling addFilterBefore and addFilterAfter, they are all recognized as the same class and added one after the other which results in incorrect order.

How to overcome this problem?

Is it maybe a problem in org.springframework.security.config.annotation.web.builders.FilterComparator implementation of these methods for adding custom filters?

Comment From: eleftherias

Thanks for reaching out @ggeorgijevic. It tried this using the latest version of Spring Security and extending WebSecurityConfigurerAdapter and I cannot reproduce the issue. If you are still experiencing this problem, please comment below and I will reopen the issue.