Spring Security Adding CorsFilter in filterchain by calling addFilterAfter is not working

I am migrating to spring security 5.4.6 to 5.4.8. Cors filter is not having expected order now. Steps to reproduce the behavior. http.addFilterAfter(corsFilterBean, BasicAuthenticationFilter.class) .addFilterAfter(mycustomFilter, CorsFilter.class) Expected behavior it should have order of 2401,2402 for cors and mycustomfilter repectively, but it is setting different order which is 2401,601 respectively.

below is the code in the HttpSecurity.class causing the issue.

private HttpSecurity addFilterAtOffsetOf(Filter filter, int offset, Class<? extends Filter> registeredFilter) {
        int order = this.filterOrders.getOrder(registeredFilter) + offset;
        this.filters.add(new HttpSecurity.OrderedFilter(filter, order)); --->**creating new OrderedFilter with order 2401**
        this.filterOrders.put(filter.getClass(), order); -->New order of Cors filter (2401) is not getting updated here
        return this;
}

Comment From: skpandey91

The fix to below issue is causing this issue. Please suggest.

Comment From: marcusdacoregio

Hello @skpandey91.

It seems that the addFilterAfter is behaving as intended. When you do http.addFilterAfter(mycustomFilter, CorsFilter.class), your mycustomFilter will be place after the CorsFilter, which has an order of 600. You can check it out in the FilterOrderRegistration class.

Why are you adding a CorsFilter after the BasicAuthenticationFilter? Can't you use http.cors(Customizer.withDefaults()) and expose a Bean of type CorsConfigurationSource?

Comment From: skpandey91

If order for the CorsFilter has been set to 600, then adding the CorsFilter filter with http.addFilterAfter(corsFilterBean, BasicAuthenticationFilter.class) must set the order 600 in added filters not 2401. it should not be allowed to call http.addFilterAfter method for existing filters.

private HttpSecurity addFilterAtOffsetOf(Filter filter, int offset, Class<? extends Filter> registeredFilter) {
        int order = this.filterOrders.getOrder(registeredFilter) + offset;
        this.filters.add(new HttpSecurity.OrderedFilter(filter, order)); --->**creating new OrderedFilter with order 2401**
        this.filterOrders.put(filter.getClass(), order); -->New order of Cors filter (2401) is not getting updated here
        return this;
}

Comment From: marcusdacoregio

Not really, you can see that in the method addFilterAtOffsetOf, the order that is retrieved is the order from the registeredFilter, thus in your case, the BasicAuthenticationFilter.

If you want to add a custom CORS filter after the original one, you should do http.addFilterAfter(corsFilterBean, CorsFilter.class), although I couldn't yet understand what scenario you are trying to solve.

Comment From: skpandey91

my objective is simple, I want to add Cors filter After BasicAuthenticationFilter and just after that another custom filter(mycustomFilter). But new spring security failed my application as order is not subsequent number now. previously it was 2401, 2402 but now it is 2401, 601 which is causing the myCustomFilter to take precedence over cors filter and breaking my flows.

Comment From: marcusdacoregio

What is the type of corsFilterBean? If it is like public class CustomCorsFilter implements Filter... you can change your configuration to this:

http.addFilterAfter(corsFilterBean, BasicAuthenticationFilter.class)
    .addFilterAfter(mycustomFilter, CustomCorsFilter.class)

Comment From: skpandey91

Type of corsFilterBean is CorsFilter only, it is not returning any custom implementation of CorsFilter class.

Comment From: marcusdacoregio

Try this then:

http.addFilterAfter(corsFilterBean, BasicAuthenticationFilter.class)
    .addFilterAfter(mycustomFilter, BasicAuthenticationFilter.class)

The filters will have the same order 2401, but they will be ordered correctly when invoking the chain. If this doesn't works, please provide a minimum sample and describe the scenario that you are trying to achieve (why the CorsFilter after the authentication filter).

Comment From: spring-projects-issues

If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed.

Comment From: spring-projects-issues

Closing due to lack of requested feedback. If you would like us to look at this issue, please provide the requested information and we will re-open the issue.