Skip to content

.addFilterAfter(filter, SecurityContextHolderFilter.class) does not work properly #45985

New issue
New issue
Closed as not planned
Closed as not planned
.addFilterAfter(filter, SecurityContextHolderFilter.class) does not work properly#45985
Labels
status: invalidAn issue that we don't feel is valid
@ReXtrem

Description

@ReXtrem
ReXtrem
opened on Jun 17, 2025

As SecurityContextPersistenceFilter is deprecated and replaced by SecurityContextHolderFilter I would expect the Filter structure is setup equally to it.

Unfortunate I cam across this weird issue when you try to add a custom authentication for a stateless application context:

SecurityContextHolder.getContext().setAuthentication(authentication);

always get's reset because of the SecurityContextPersistenceFilter kicking in before:

Even if I define my "filter" to run after SecurityContextHolderFilter

.addFilterAfter(myFilter, SecurityContextHolderFilter.class)

The chain is setup like this:

Will secure any request with filters: DisableEncodeUrlFilter, WebAsyncManagerIntegrationFilter, MyFilter, SecurityContextPersistenceFilter, ...

If I use the deprecated:

.addFilterAfter(authenticationFilter, SecurityContextPersistenceFilter.class)

The filter chain is correct:

Will secure any request with filters: DisableEncodeUrlFilter, WebAsyncManagerIntegrationFilter, SecurityContextPersistenceFilter, MyFilter, ...

Spring-Boot version: 3.4.4

Metadata

Metadata

Assignees

No one assigned

    Labels

    status: invalidAn issue that we don't feel is valid

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions