Spring Security Custom AbstractAuthenticationFilterConfigurer Support

ENV - Spring Security 5.6.0 - Java 8

Expected Behavior

AbstractAuthenticationFilterConfigurer config method void configure(B builder) throws Exception enchance ：

Class<? extend AbstractAuthenticationProcessingFilter> filterClass;
   // ignore init details

     if (UsernamePasswordAuthenticationFilter.class.isAssignableFrom(filterClass)){
        httpSecurity.addFilter(filter);
     }else{         

        httpSecurity.addFilterBefore(authenticationFilter,UsernamePasswordAuthenticationFilter.class);
               //or  spec a order 
     }

Current Behavior when i apply a custom AbstractAuthenticationFilterConfigurer:

costom filter:

public class CaptchaAuthenticationFilter extends AbstractAuthenticationProcessingFilter {
// ignore  detail
}

custom filter configurer:

public class CaptchaLoginConfigurer<H extends HttpSecurityBuilder<H>> extends AbstractAuthenticationFilterConfigurer<H, CaptchaLoginConfigurer<H>, CaptchaAuthenticationFilter> {
// ignore  detail
}

config ：

httpSecurity.apply(new CaptchaLoginConfigurer<>());

that cause the exception :

The Filter class  does not have a registered order and cannot be added without a specified order. Consider using addFilterBefore or addFilterAfter instead.

Context

custom authentication is nessary for many apps action, captcha login、qr login etc.

maybe i can submit PR

Comment From: sjohnr

Hi @NotFound403. Thanks for the feedback and suggestion.

The error message you provided:

The Filter class  does not have a registered order and cannot be added without a specified order. Consider using addFilterBefore or addFilterAfter instead.

indicates that you can provide your own ordering. Unfortunately, you're using AbstractAuthenticationFilterConfigurer which is marked in the javadoc as "intended for internal use only".

You could consider instead extending AbstractHttpConfigurer. I understand that it would be desirable not to have to repeat some of the configuration methods on AbstractAuthenticationFilterConfigurer, but you will have full control over how the filter is configured and added with AbstractHttpConfigurer, so the trade-off is worth it.

Since this is the recommended approach, and I don't believe your suggested enhancement would be appropriate in that class, I'm going to close this for now.

Comment From: NotFound403

thank your reply, i have done it like u said. yeah I had to repeat some of the configurations