Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Sorting RememberMeAuthenticationFilter #16346

Open
daromnik opened this issue Dec 26, 2024 · 2 comments
Open

Sorting RememberMeAuthenticationFilter #16346

daromnik opened this issue Dec 26, 2024 · 2 comments
Labels
status: waiting-for-triage An issue we've not yet triaged type: bug A general bug

Comments

@daromnik
Copy link

Hello.

I noticed this situation with the RememberMeAuthenticationFilter filter.

When the application is launched, this filter appears at the end of the filter chain.

1 = "WebAsyncManagerIntegrationFilter"
2 = "SecurityContextPersistenceFilter"
3 = "HeaderWriterFilter"
4 = "LogoutFilter"
5 = "BasicAuthenticationFilter"
6 = "SecuritySaveContextFilter"
7 = "CachedSessionFilter"
8 = "RequestCacheAwareFilter"
9 = "SecurityContextHolderAwareRequestFilter"
10 = "RememberMeAuthenticationFilter"
11 = "AnonymousAuthenticationFilter"
...

In the FilterOrderRegistration class, its sorting is 3000, so it never gets to its turn.
Although it should go somewhere at the beginning after LogoutFilter.
Is this normal behavior?
I did not find any ways to change the sorting of RememberMeAuthenticationFilter.
@daromnik daromnik added status: waiting-for-triage An issue we've not yet triaged type: bug A general bug labels Dec 26, 2024
@kse-music
Copy link
Contributor

If you must do it, I think you can do like this

    @Bean
    SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        DefaultSecurityFilterChain chain = http
                .authorizeHttpRequests(c -> c.anyRequest().permitAll())
                .rememberMe(Customizer.withDefaults())
                .build();
        List<Filter> filters = new ArrayList<>(chain.getFilters().size());
        for (Filter filter : chain.getFilters()) {
            if (filter instanceof RememberMeAuthenticationFilter) {
                filters.add(7, filter);//set position
                continue;
            }
            filters.add(filter);
        }
        return new DefaultSecurityFilterChain(chain.getRequestMatcher(), filters);
    }

@daromnik
Copy link
Author

I can change it programmatically, I agree, but I wonder why this filter appears at the end of the list by default, maybe it's a bug?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
status: waiting-for-triage An issue we've not yet triaged type: bug A general bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@daromnik @kse-music