When introducing the "spring-boot-starter-oauth2-client" dependency and using the default configuration, two nearly identical "OAuth2AuthorizationRequestRedirectFilter" instances will be created, but the second one will never be invoked. The key code is shown below
@Bean
SecurityFilterChain oauth2SecurityFilterChain(HttpSecurity http) throws Exception {
http.authorizeHttpRequests((requests) -> requests.anyRequest().authenticated());
http.oauth2Login(Customizer.withDefaults());
http.oauth2Client();
return http.build();
}
Comment From: wilkinsona
Thanks for the report, @pop1213, but I am not sure what action you expect us to take. From Spring Boot's perspective, the filters that are created by Spring Security are an implementation detail and calling both oauth2Login and oauth2Client is a standard thing to do. Perhaps you expect Spring Security to detect that one has already been called and avoid creating the second filter?
Comment From: spring-projects-issues
If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed.
Comment From: spring-projects-issues
Closing due to lack of requested feedback. If you would like us to look at this issue, please provide the requested information and we will re-open the issue.
Comment From: sandipchitale
I ran into the same issue....and it was confusing. I did not expect two filters to be present. If I dump the filter chain I see:
any request
org.springframework.security.web.session.DisableEncodeUrlFilter@7fad214a
org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@164642a4
org.springframework.security.web.context.SecurityContextHolderFilter@51bddd98
org.springframework.security.web.header.HeaderWriterFilter@4faf104
org.springframework.security.web.csrf.CsrfFilter@671ea6ff
org.springframework.security.web.authentication.logout.LogoutFilter@2e43c38d
-> org.springframework.security.oauth2.client.web.OAuth2AuthorizationRequestRedirectFilter@104dc1a2
-> org.springframework.security.oauth2.client.web.OAuth2AuthorizationRequestRedirectFilter@314a31b0
org.springframework.security.oauth2.client.web.OAuth2LoginAuthenticationFilter@67d32a54
org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter@235b4cb8
org.springframework.security.web.authentication.ui.DefaultLogoutPageGeneratingFilter@75cf0de5
org.springframework.security.web.savedrequest.RequestCacheAwareFilter@77d4ac52
org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@252744a1
org.springframework.security.web.authentication.AnonymousAuthenticationFilter@50b0afd7
org.springframework.security.oauth2.client.web.OAuth2AuthorizationCodeGrantFilter@4735d6e5
org.springframework.security.web.access.ExceptionTranslationFilter@49fb0bbd
org.springframework.security.web.access.intercept.AuthorizationFilter@24c8d8be
and as the original poster noted this happens because of each of the DSL oauth2Login() and oauth2Client() that are configured by default config:
@Bean
SecurityFilterChain oauth2SecurityFilterChain(HttpSecurity http) throws Exception {
http.authorizeHttpRequests((requests) -> requests.anyRequest().authenticated());
http.oauth2Login(Customizer.withDefaults()); <---------------------------------------------------------
http.oauth2Client(); <-------------------------------------------------------------------------------------
return http.build();
}
I guess the implementation could coordinate and install the filter OAuth2AuthorizationRequestRedirectFilter only once, Feel free to move this to Spring Security project. It was really puzzling as to why the breakpoint hit twice, before I realized what was happening.
Comment From: wilkinsona
Unfortunately, GitHub's permissions model prevents us from doing the transfer. If you'd like to see this addressed in Spring Security, please open a Spring Security issue.
Comment From: sandipchitale
Done.