Why is UsernamePasswordAuthenticationFilter a GenericFilterBean and not a OncePerRequestFilter?

Comment From: jzheaux

Usually old decisions like this are because there wasn't a need at the time (about 15 years ago at this point). While it's speculation on my part, since all request dispatches are worth securing, it makes sense to select GenericFilterBean unless there is a need to ensure that something only happens once per request.

Thanks for reaching out, @d3bt3ch. In the future. we prefer that folks post questions to Stack Overflow so that we can use GitHub for bugs and enhancements. If this is causing a bug for you or you would like to request an enhancement, please update the ticket with those details. Otherwise, feel free to post any follow-up StackOverflow link to this ticket and we can continue the conversation over there!

Comment From: rwinch

OncePerRequestFilter is to ensure that the Filter does not process the request more than once in a single request for other dispatch types (e.g. a forward). This is useful for Filters that process every request like HeadersWriterFilter. However, UsernamePasswordAuthenticationFilter only processes on a single URL, so it is it will not process other dispatch types unless the URL matches in which case it probably should.

Comment From: d3bt3ch

OncePerRequestFilter is to ensure that the Filter does not process the request more than once in a single request for other dispatch types (e.g. a forward). This is useful for Filters that process every request like HeadersWriterFilter. However, UsernamePasswordAuthenticationFilter only processes on a single URL, so it is it will not process other dispatch types unless the URL matches in which case it probably should.

This can be achieved through OncePerRequestFilter as well. For example the filters for Authorization Server uses OncePerRequestFilter