Multiple Spring Security filters









up vote
-1
down vote

favorite












I have 2 Spring Security WebSecurityConfigurerAdapter configs. I want to filter all requests to path /filter1 with filter 1, excluding /filter1/filter2 path. The latter one I want to filter with filter 2. How can I achieve it?



Filter 1 config:



@Override
protected void configure(HttpSecurity http) throws Exception
http
.csrf().disable()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.authorizeRequests()
.antMatchers("filter1/filter2/**").permitAll()
.and()
.antMatcher("filter1/**")
.authorizeRequests()
.anyRequest().authenticated()
.and()
.addFilterBefore(filter1, FilterSecurityInterceptor.class);



Filter 2 config:



@Override
protected void configure(HttpSecurity http) throws Exception
http
.csrf().disable()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.antMatcher("filter1/filter2/**")
.authorizeRequests()
.anyRequest().authenticated()
.and()
.addFilterBefore(filter2, FilterSecurityInterceptor.class);










share|improve this question























  • Did you try something like "filter1/^(filter2)/**" for the second filter allowing only authenticated requests? It basically uses regex for filter2, but I am not sure if this is completely supported (though regexes for path variables are supported).
    – Him
    Nov 10 at 11:19










  • Why? What do you want to achieve with multiple security filters?
    – M. Deinum
    Nov 10 at 12:08










  • @M.Deinum I want to use separate authentications for each url.
    – Alvin Mahmudov
    Nov 10 at 12:15










  • @Him it is not working
    – Alvin Mahmudov
    Nov 10 at 12:15










  • If that is what you want you don't need separate filters for that. Start with an antMatcher that matches the path and configure it.
    – M. Deinum
    Nov 10 at 12:23














up vote
-1
down vote

favorite












I have 2 Spring Security WebSecurityConfigurerAdapter configs. I want to filter all requests to path /filter1 with filter 1, excluding /filter1/filter2 path. The latter one I want to filter with filter 2. How can I achieve it?



Filter 1 config:



@Override
protected void configure(HttpSecurity http) throws Exception
http
.csrf().disable()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.authorizeRequests()
.antMatchers("filter1/filter2/**").permitAll()
.and()
.antMatcher("filter1/**")
.authorizeRequests()
.anyRequest().authenticated()
.and()
.addFilterBefore(filter1, FilterSecurityInterceptor.class);



Filter 2 config:



@Override
protected void configure(HttpSecurity http) throws Exception
http
.csrf().disable()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.antMatcher("filter1/filter2/**")
.authorizeRequests()
.anyRequest().authenticated()
.and()
.addFilterBefore(filter2, FilterSecurityInterceptor.class);










share|improve this question























  • Did you try something like "filter1/^(filter2)/**" for the second filter allowing only authenticated requests? It basically uses regex for filter2, but I am not sure if this is completely supported (though regexes for path variables are supported).
    – Him
    Nov 10 at 11:19










  • Why? What do you want to achieve with multiple security filters?
    – M. Deinum
    Nov 10 at 12:08










  • @M.Deinum I want to use separate authentications for each url.
    – Alvin Mahmudov
    Nov 10 at 12:15










  • @Him it is not working
    – Alvin Mahmudov
    Nov 10 at 12:15










  • If that is what you want you don't need separate filters for that. Start with an antMatcher that matches the path and configure it.
    – M. Deinum
    Nov 10 at 12:23












up vote
-1
down vote

favorite









up vote
-1
down vote

favorite











I have 2 Spring Security WebSecurityConfigurerAdapter configs. I want to filter all requests to path /filter1 with filter 1, excluding /filter1/filter2 path. The latter one I want to filter with filter 2. How can I achieve it?



Filter 1 config:



@Override
protected void configure(HttpSecurity http) throws Exception
http
.csrf().disable()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.authorizeRequests()
.antMatchers("filter1/filter2/**").permitAll()
.and()
.antMatcher("filter1/**")
.authorizeRequests()
.anyRequest().authenticated()
.and()
.addFilterBefore(filter1, FilterSecurityInterceptor.class);



Filter 2 config:



@Override
protected void configure(HttpSecurity http) throws Exception
http
.csrf().disable()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.antMatcher("filter1/filter2/**")
.authorizeRequests()
.anyRequest().authenticated()
.and()
.addFilterBefore(filter2, FilterSecurityInterceptor.class);










share|improve this question















I have 2 Spring Security WebSecurityConfigurerAdapter configs. I want to filter all requests to path /filter1 with filter 1, excluding /filter1/filter2 path. The latter one I want to filter with filter 2. How can I achieve it?



Filter 1 config:



@Override
protected void configure(HttpSecurity http) throws Exception
http
.csrf().disable()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.authorizeRequests()
.antMatchers("filter1/filter2/**").permitAll()
.and()
.antMatcher("filter1/**")
.authorizeRequests()
.anyRequest().authenticated()
.and()
.addFilterBefore(filter1, FilterSecurityInterceptor.class);



Filter 2 config:



@Override
protected void configure(HttpSecurity http) throws Exception
http
.csrf().disable()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.antMatcher("filter1/filter2/**")
.authorizeRequests()
.anyRequest().authenticated()
.and()
.addFilterBefore(filter2, FilterSecurityInterceptor.class);







spring spring-boot spring-security






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Nov 10 at 18:33









dur

6,967133560




6,967133560










asked Nov 10 at 10:56









Alvin Mahmudov

339




339











  • Did you try something like "filter1/^(filter2)/**" for the second filter allowing only authenticated requests? It basically uses regex for filter2, but I am not sure if this is completely supported (though regexes for path variables are supported).
    – Him
    Nov 10 at 11:19










  • Why? What do you want to achieve with multiple security filters?
    – M. Deinum
    Nov 10 at 12:08










  • @M.Deinum I want to use separate authentications for each url.
    – Alvin Mahmudov
    Nov 10 at 12:15










  • @Him it is not working
    – Alvin Mahmudov
    Nov 10 at 12:15










  • If that is what you want you don't need separate filters for that. Start with an antMatcher that matches the path and configure it.
    – M. Deinum
    Nov 10 at 12:23
















  • Did you try something like "filter1/^(filter2)/**" for the second filter allowing only authenticated requests? It basically uses regex for filter2, but I am not sure if this is completely supported (though regexes for path variables are supported).
    – Him
    Nov 10 at 11:19










  • Why? What do you want to achieve with multiple security filters?
    – M. Deinum
    Nov 10 at 12:08










  • @M.Deinum I want to use separate authentications for each url.
    – Alvin Mahmudov
    Nov 10 at 12:15










  • @Him it is not working
    – Alvin Mahmudov
    Nov 10 at 12:15










  • If that is what you want you don't need separate filters for that. Start with an antMatcher that matches the path and configure it.
    – M. Deinum
    Nov 10 at 12:23















Did you try something like "filter1/^(filter2)/**" for the second filter allowing only authenticated requests? It basically uses regex for filter2, but I am not sure if this is completely supported (though regexes for path variables are supported).
– Him
Nov 10 at 11:19




Did you try something like "filter1/^(filter2)/**" for the second filter allowing only authenticated requests? It basically uses regex for filter2, but I am not sure if this is completely supported (though regexes for path variables are supported).
– Him
Nov 10 at 11:19












Why? What do you want to achieve with multiple security filters?
– M. Deinum
Nov 10 at 12:08




Why? What do you want to achieve with multiple security filters?
– M. Deinum
Nov 10 at 12:08












@M.Deinum I want to use separate authentications for each url.
– Alvin Mahmudov
Nov 10 at 12:15




@M.Deinum I want to use separate authentications for each url.
– Alvin Mahmudov
Nov 10 at 12:15












@Him it is not working
– Alvin Mahmudov
Nov 10 at 12:15




@Him it is not working
– Alvin Mahmudov
Nov 10 at 12:15












If that is what you want you don't need separate filters for that. Start with an antMatcher that matches the path and configure it.
– M. Deinum
Nov 10 at 12:23




If that is what you want you don't need separate filters for that. Start with an antMatcher that matches the path and configure it.
– M. Deinum
Nov 10 at 12:23












1 Answer
1






active

oldest

votes

















up vote
1
down vote













Just write a single configuration, ordering the urls in the way they should match (ordering is important here!).



Something like the following



http
.csrf().disable()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.authorizeRequests().anyRequest().authenticated()
.and()
.antMatcher("filter1/filter2/**")
.addFilterBefore(filter2, FilterSecurityInterceptor.class)
.antMatcher("filter1/**")
.addFilterBefore(filter1, FilterSecurityInterceptor.class);


Should do that. It will match the most specific one and use that filter chain. Not sure if you need to move the .authorizeRequests().anyRequest().authenticated() to each mapping as well.






share|improve this answer




















  • The only thing is, I don't need filter1 to be triggered if filter2 has been triggered.
    – Alvin Mahmudov
    Nov 10 at 12:39










  • It doesn't. It will match the specific one. The first chain that matches will be executed. Hence ordering is important here.
    – M. Deinum
    Nov 10 at 12:49











  • I just tested and both filters get called. First filter2 then filter1. Even if the path doesn't match. Maybe that is because the filters are defined as spring beans.
    – Alvin Mahmudov
    Nov 10 at 12:57










  • They get called because they are part of the normal filter chain and not just the security filter chain. Add an additional FilterRegistrationBean and disable the filter with that (setting the enabled property to false) to prevent them from being registered in the regular filter chain.
    – M. Deinum
    Nov 10 at 12:59






  • 1




    ` @Bean public FilterRegistrationBean filterRegistration(SecurityFilter filter2) FilterRegistrationBean registration = new FilterRegistrationBean(filter2); registration.setEnabled(false); return registration; @Bean public FilterRegistrationBean filterRegistration2(SecurityFilter filter1) FilterRegistrationBean registration = new FilterRegistrationBean(filter1); registration.setEnabled(false); return registration; ` I already have.They are called only when I am accessing filter1 or filter2 paths.
    – Alvin Mahmudov
    Nov 10 at 13:02











Your Answer






StackExchange.ifUsing("editor", function ()
StackExchange.using("externalEditor", function ()
StackExchange.using("snippets", function ()
StackExchange.snippets.init();
);
);
, "code-snippets");

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "1"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);













 

draft saved


draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53238234%2fmultiple-spring-security-filters%23new-answer', 'question_page');

);

Post as a guest






























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes








up vote
1
down vote













Just write a single configuration, ordering the urls in the way they should match (ordering is important here!).



Something like the following



http
.csrf().disable()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.authorizeRequests().anyRequest().authenticated()
.and()
.antMatcher("filter1/filter2/**")
.addFilterBefore(filter2, FilterSecurityInterceptor.class)
.antMatcher("filter1/**")
.addFilterBefore(filter1, FilterSecurityInterceptor.class);


Should do that. It will match the most specific one and use that filter chain. Not sure if you need to move the .authorizeRequests().anyRequest().authenticated() to each mapping as well.






share|improve this answer




















  • The only thing is, I don't need filter1 to be triggered if filter2 has been triggered.
    – Alvin Mahmudov
    Nov 10 at 12:39










  • It doesn't. It will match the specific one. The first chain that matches will be executed. Hence ordering is important here.
    – M. Deinum
    Nov 10 at 12:49











  • I just tested and both filters get called. First filter2 then filter1. Even if the path doesn't match. Maybe that is because the filters are defined as spring beans.
    – Alvin Mahmudov
    Nov 10 at 12:57










  • They get called because they are part of the normal filter chain and not just the security filter chain. Add an additional FilterRegistrationBean and disable the filter with that (setting the enabled property to false) to prevent them from being registered in the regular filter chain.
    – M. Deinum
    Nov 10 at 12:59






  • 1




    ` @Bean public FilterRegistrationBean filterRegistration(SecurityFilter filter2) FilterRegistrationBean registration = new FilterRegistrationBean(filter2); registration.setEnabled(false); return registration; @Bean public FilterRegistrationBean filterRegistration2(SecurityFilter filter1) FilterRegistrationBean registration = new FilterRegistrationBean(filter1); registration.setEnabled(false); return registration; ` I already have.They are called only when I am accessing filter1 or filter2 paths.
    – Alvin Mahmudov
    Nov 10 at 13:02















up vote
1
down vote













Just write a single configuration, ordering the urls in the way they should match (ordering is important here!).



Something like the following



http
.csrf().disable()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.authorizeRequests().anyRequest().authenticated()
.and()
.antMatcher("filter1/filter2/**")
.addFilterBefore(filter2, FilterSecurityInterceptor.class)
.antMatcher("filter1/**")
.addFilterBefore(filter1, FilterSecurityInterceptor.class);


Should do that. It will match the most specific one and use that filter chain. Not sure if you need to move the .authorizeRequests().anyRequest().authenticated() to each mapping as well.






share|improve this answer




















  • The only thing is, I don't need filter1 to be triggered if filter2 has been triggered.
    – Alvin Mahmudov
    Nov 10 at 12:39










  • It doesn't. It will match the specific one. The first chain that matches will be executed. Hence ordering is important here.
    – M. Deinum
    Nov 10 at 12:49











  • I just tested and both filters get called. First filter2 then filter1. Even if the path doesn't match. Maybe that is because the filters are defined as spring beans.
    – Alvin Mahmudov
    Nov 10 at 12:57










  • They get called because they are part of the normal filter chain and not just the security filter chain. Add an additional FilterRegistrationBean and disable the filter with that (setting the enabled property to false) to prevent them from being registered in the regular filter chain.
    – M. Deinum
    Nov 10 at 12:59






  • 1




    ` @Bean public FilterRegistrationBean filterRegistration(SecurityFilter filter2) FilterRegistrationBean registration = new FilterRegistrationBean(filter2); registration.setEnabled(false); return registration; @Bean public FilterRegistrationBean filterRegistration2(SecurityFilter filter1) FilterRegistrationBean registration = new FilterRegistrationBean(filter1); registration.setEnabled(false); return registration; ` I already have.They are called only when I am accessing filter1 or filter2 paths.
    – Alvin Mahmudov
    Nov 10 at 13:02













up vote
1
down vote










up vote
1
down vote









Just write a single configuration, ordering the urls in the way they should match (ordering is important here!).



Something like the following



http
.csrf().disable()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.authorizeRequests().anyRequest().authenticated()
.and()
.antMatcher("filter1/filter2/**")
.addFilterBefore(filter2, FilterSecurityInterceptor.class)
.antMatcher("filter1/**")
.addFilterBefore(filter1, FilterSecurityInterceptor.class);


Should do that. It will match the most specific one and use that filter chain. Not sure if you need to move the .authorizeRequests().anyRequest().authenticated() to each mapping as well.






share|improve this answer












Just write a single configuration, ordering the urls in the way they should match (ordering is important here!).



Something like the following



http
.csrf().disable()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.authorizeRequests().anyRequest().authenticated()
.and()
.antMatcher("filter1/filter2/**")
.addFilterBefore(filter2, FilterSecurityInterceptor.class)
.antMatcher("filter1/**")
.addFilterBefore(filter1, FilterSecurityInterceptor.class);


Should do that. It will match the most specific one and use that filter chain. Not sure if you need to move the .authorizeRequests().anyRequest().authenticated() to each mapping as well.







share|improve this answer












share|improve this answer



share|improve this answer










answered Nov 10 at 12:35









M. Deinum

66.1k11132146




66.1k11132146











  • The only thing is, I don't need filter1 to be triggered if filter2 has been triggered.
    – Alvin Mahmudov
    Nov 10 at 12:39










  • It doesn't. It will match the specific one. The first chain that matches will be executed. Hence ordering is important here.
    – M. Deinum
    Nov 10 at 12:49











  • I just tested and both filters get called. First filter2 then filter1. Even if the path doesn't match. Maybe that is because the filters are defined as spring beans.
    – Alvin Mahmudov
    Nov 10 at 12:57










  • They get called because they are part of the normal filter chain and not just the security filter chain. Add an additional FilterRegistrationBean and disable the filter with that (setting the enabled property to false) to prevent them from being registered in the regular filter chain.
    – M. Deinum
    Nov 10 at 12:59






  • 1




    ` @Bean public FilterRegistrationBean filterRegistration(SecurityFilter filter2) FilterRegistrationBean registration = new FilterRegistrationBean(filter2); registration.setEnabled(false); return registration; @Bean public FilterRegistrationBean filterRegistration2(SecurityFilter filter1) FilterRegistrationBean registration = new FilterRegistrationBean(filter1); registration.setEnabled(false); return registration; ` I already have.They are called only when I am accessing filter1 or filter2 paths.
    – Alvin Mahmudov
    Nov 10 at 13:02

















  • The only thing is, I don't need filter1 to be triggered if filter2 has been triggered.
    – Alvin Mahmudov
    Nov 10 at 12:39










  • It doesn't. It will match the specific one. The first chain that matches will be executed. Hence ordering is important here.
    – M. Deinum
    Nov 10 at 12:49











  • I just tested and both filters get called. First filter2 then filter1. Even if the path doesn't match. Maybe that is because the filters are defined as spring beans.
    – Alvin Mahmudov
    Nov 10 at 12:57










  • They get called because they are part of the normal filter chain and not just the security filter chain. Add an additional FilterRegistrationBean and disable the filter with that (setting the enabled property to false) to prevent them from being registered in the regular filter chain.
    – M. Deinum
    Nov 10 at 12:59






  • 1




    ` @Bean public FilterRegistrationBean filterRegistration(SecurityFilter filter2) FilterRegistrationBean registration = new FilterRegistrationBean(filter2); registration.setEnabled(false); return registration; @Bean public FilterRegistrationBean filterRegistration2(SecurityFilter filter1) FilterRegistrationBean registration = new FilterRegistrationBean(filter1); registration.setEnabled(false); return registration; ` I already have.They are called only when I am accessing filter1 or filter2 paths.
    – Alvin Mahmudov
    Nov 10 at 13:02
















The only thing is, I don't need filter1 to be triggered if filter2 has been triggered.
– Alvin Mahmudov
Nov 10 at 12:39




The only thing is, I don't need filter1 to be triggered if filter2 has been triggered.
– Alvin Mahmudov
Nov 10 at 12:39












It doesn't. It will match the specific one. The first chain that matches will be executed. Hence ordering is important here.
– M. Deinum
Nov 10 at 12:49





It doesn't. It will match the specific one. The first chain that matches will be executed. Hence ordering is important here.
– M. Deinum
Nov 10 at 12:49













I just tested and both filters get called. First filter2 then filter1. Even if the path doesn't match. Maybe that is because the filters are defined as spring beans.
– Alvin Mahmudov
Nov 10 at 12:57




I just tested and both filters get called. First filter2 then filter1. Even if the path doesn't match. Maybe that is because the filters are defined as spring beans.
– Alvin Mahmudov
Nov 10 at 12:57












They get called because they are part of the normal filter chain and not just the security filter chain. Add an additional FilterRegistrationBean and disable the filter with that (setting the enabled property to false) to prevent them from being registered in the regular filter chain.
– M. Deinum
Nov 10 at 12:59




They get called because they are part of the normal filter chain and not just the security filter chain. Add an additional FilterRegistrationBean and disable the filter with that (setting the enabled property to false) to prevent them from being registered in the regular filter chain.
– M. Deinum
Nov 10 at 12:59




1




1




` @Bean public FilterRegistrationBean filterRegistration(SecurityFilter filter2) FilterRegistrationBean registration = new FilterRegistrationBean(filter2); registration.setEnabled(false); return registration; @Bean public FilterRegistrationBean filterRegistration2(SecurityFilter filter1) FilterRegistrationBean registration = new FilterRegistrationBean(filter1); registration.setEnabled(false); return registration; ` I already have.They are called only when I am accessing filter1 or filter2 paths.
– Alvin Mahmudov
Nov 10 at 13:02





` @Bean public FilterRegistrationBean filterRegistration(SecurityFilter filter2) FilterRegistrationBean registration = new FilterRegistrationBean(filter2); registration.setEnabled(false); return registration; @Bean public FilterRegistrationBean filterRegistration2(SecurityFilter filter1) FilterRegistrationBean registration = new FilterRegistrationBean(filter1); registration.setEnabled(false); return registration; ` I already have.They are called only when I am accessing filter1 or filter2 paths.
– Alvin Mahmudov
Nov 10 at 13:02


















 

draft saved


draft discarded















































 


draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53238234%2fmultiple-spring-security-filters%23new-answer', 'question_page');

);

Post as a guest














































































這個網誌中的熱門文章

How to read a connectionString WITH PROVIDER in .NET Core?

Node.js Script on GitHub Pages or Amazon S3

Museum of Modern and Contemporary Art of Trento and Rovereto