Expected Behavior
The documentation should clarify that when using HttpSecurity#addFilterBefore(), the specified filter will be executed before the target filter in the filter chain, and if the intention is to have the filter run after authentication filters, the documentation should recommend using HttpSecurity#addFilterAfter().
Current Behavior
Currently the documentation states this "By adding the filter before the AuthorizationFilter we are making sure that the TenantFilter is invoked after the authentication filters."
Reference: https://docs.spring.io/spring-security/reference/servlet/architecture.html#adding-custom-filter
Context
The misleading information in the documentation affects developers trying to implement security filters correctly. Many may end up placing filters in the wrong order, leading to tenant-specific logic being executed before authentication is completed.
Possible Fix
Update the documentation to:
- Use
beforeinstead ofafterin the statement "By adding the filter before theAuthorizationFilterwe are making sure that theTenantFilteris invoked after the authentication filters." - Clearly explain the purpose of
addFilterBefore(),addFilterAfter(), andaddFilterAt(). - Provide examples illustrating the correct usage of these methods in relation to authentication and authorization filters.
Comment From: jzheaux
Thanks for the suggestion, @Kjeff24. I've made several edits based on your recommendations. Once the deployment completes, you should be able to review it at https://docs.spring.io/spring-security/reference/6.4-SNAPSHOT/servlet/architecture.html#adding-custom-filter. Please let me know if you recommend any other changes!