Spring Security HttpSecurity.addFilter* with same Filter in Different Position Places in Incorrect Location

Describe the bug When setting up HttpSecurity it is possible to end up with the wrong order for filters by calling addFilterBefore multiple times.

To Reproduce Start standard spring boot app with a class SecurityConfiguration extends WebSecurityConfigurerAdapter, override protected void configure(HttpSecurity http) throws Exception.

Do the following:

http ... standard setup ... .addFilterBefore( myFilter, SomeFilterAtPosition100 ) .addFilterBefore( myFilter, SomeFilterAtPosition500 ) ...

Then observe the order the filters are called, myFilter should be called before SomeFilterAtPosition100 and SomeFilterAtPosition500, however you will find it is only before SomeFilterAtPosition500, and in fact it is at position 499.

You will find the same issue with addFilterAfter

Expected behavior myFilter should be before both SomeFilterAtPosition100 and SomeFilterAtPosition500, most likely at position 99

To be clear, it should be before or after all filters as you specify in the HttpSecurity setup.

Pull request with code changes to fix this issue: https://github.com/spring-projects/spring-security/compare/master...Psynbiotik:patch-1

Comment From: rwinch

Thanks for the report. This does seem like an issue. However, the patch does not fix the issue. Since the order is stored in a Map the second invocation with the same class overrides the order. I pushed a fix for this with tests that verify the issue is fixed.

Comment From: skpandey91

Now addFilterAfter is failing to set order for already registered filter like CorsFilter. Is at a BWC?