Spring Security SEC-2795: SecurityContextHolderAwareRequestFilter and OncePerRequestFilter

cemo koc (Migrated from SEC-2795) said:

I could not understand why SecurityContextHolderAwareRequestFilter is a GenericBean. It may be better to be a OncePerRequestFilter, isn't it?

I have another Filter which is configured to be worked after SecurityContextHolderAwareRequestFilter. Basically It is wrapping request to be more Servlet API compatible.

   public Principal getUserPrincipal() {
         Principal userPrincipal = super.getUserPrincipal();
         if(userPrincipal instanceof Authentication) {
            return (Principal) ((Authentication) userPrincipal).getPrincipal();
         }
         return userPrincipal;
   }

Because of SecurityContextHolderAwareRequestFilter wrapping twice, this is causing an error.

Comment From: rwinch

Using OncePerRequestFitler for this purpose can potentially cause problems in certain servlet containers error handling as the error dispatch type is not well defined.