-
Notifications
You must be signed in to change notification settings - Fork 40.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Introduce a mechanism to disable existing filters/servlets beans #2173
Comments
Do you have any specific examples of libraries that are adding Filters/Servlets? |
OK, ignore that last comment. I see #2171 is related. |
There is a mechanism for exclusion, if you have an immediate problem and just need the solution. You create a |
@dsyer, Please correct me If I am wrong. You mean that I should add another FilterRegistrationBean with same filter name. This will cause skipping new created FilterRegistrationBean but not actual one. Right? |
That wasn't what I meant. Why not use the enabled flag (it's just a Boolean property in the FRB)? |
Because it is not a FilterRegistrationBean. It is a plain
Here is the relevant code which is causing trouble. This piece of code is from Spring Security. Spring Security is exposing a Filter for internal usage. However Spring Boot is catching it and trying to register as a Servlet Api Filter. |
It's not really "for internal use" though is it? It's for your application security. If you don't want it, why is Spring Security on the classpath? |
And there's nothing to stop you creating a |
I have not noticed that you had already added But there is still a problem. Spring's DelegatingFilterProxy is binding filter at init phase of filter. Your check is invalid for this situation. Maybe checking filter name is an option? (By the way Servlet Api is already checking filter names. In case a duplicated already configured same name filter, It is skipping it. ) |
OK so we appear to have agreed that there is already a mechanism in place for disabling existing filters. Maybe we need more documentation? I don't get the last point about the "init" phase (there is no "init" phase for a |
+1 for more documentation. I meant I am migrating a legacy application, I have to use I believe that disabling mechanism of a filter is not complete without |
Someone on Stack Overflow with the same problem |
What about DelegatingFilterProxy filters? |
What about them? They are just filters. |
Could you show me an example how would you disable a DelegatingFilterProxy filter please? |
It's the same as the example Andy added to the docs:
|
Works like a charm. I had a custom solution that I used prior to this,
Then in your @nAmed annotated bean implement
|
Topic is quite old but was still relevant for us. I think we had the same issue @cemo described, the securityFilterChain was executed twice. I first saw this in the logs
And then also in the startup-phase
Thanks for the information here to find the solution. For the sake of completeness here the solution via XML configuration <bean class="org.springframework.boot.web.servlet.FilterRegistrationBean">
<property name="filter" ref="springSecurityFilterChain" />
<property name="enabled" value="false" />
</bean> I debugged a lot to find this and also tried various configuration and found out that this issue happens when a |
@chris922 Your solution helped me! Yeah! I have spent whole day to figure out what is happening :( I had similar problem => moving legacy spring application to Spring Boot with security configuration defined in xml file. Because of some reason 2 spring security filter chains were created by Spring Boot and my custom filters were called twice per each request. (Debug view on application filters chain):
After applying your solution my application works well! Now the question is if it is some bug in my application that 2 spring security filter chains are created or it is some problem between xml config <=> Spring Boot? Now I am only thinking loudly... Maybe it is becuase: a) Spring Security documentation claims:
So as we have spring security configuration in xml we have tag defined there. So "springSecurityFilterChain" is created. b) As Spring Boot find Spring-Security on classpath it creates the 2nd one security chain during auto-configuration. As a result of points a) and b) we have 2 security filter chains in application. |
I'm having the same problem today. For unknown reason, I keep on getting NullPointerException without any clue. Until I found out that the Security Filter was ran twice. Following is my solution : @Bean
public FilterRegistrationBean filterRegistrationBean() throws Exception {
FilterRegistrationBean filterRegistrationBean = new FilterRegistrationBean();
filterRegistrationBean.setEnabled(false);
filterRegistrationBean.setFilter(authenticationTokenFilterBean());
return filterRegistrationBean;
} |
is this issue is closed?? i got same problem.. see org.springframework.boot.web.servlet.ServletContextInitializerBeans class source.. private void addAdaptableBeans(ListableBeanFactory beanFactory) {
MultipartConfigElement multipartConfig = this.getMultipartConfig(beanFactory);
this.addAsRegistrationBean(beanFactory, Servlet.class, new ServletContextInitializerBeans.ServletRegistrationBeanAdapter(multipartConfig));
this.addAsRegistrationBean(beanFactory, Filter.class, new ServletContextInitializerBeans.FilterRegistrationBeanAdapter(null));
Iterator var3 = ServletListenerRegistrationBean.getSupportedTypes().iterator();
while(var3.hasNext()) {
Class listenerType = (Class)var3.next();
this.addAsRegistrationBean(beanFactory, EventListener.class, listenerType, new ServletContextInitializerBeans.ServletListenerRegistrationBeanAdapter(null));
}
} bean class that implements javax.servlet.Filter interface is registered to filter automatically |
Yes. It says so at the top of the page
That's by design. Please read the documentation to learn how to disable that registration. |
Sorry to bother everyone, but the FilterRegistrationBean did not work for me. My configuration is : @Bean
public FilterRegistrationBean afterAuthenticatedProcessingFilter(
@Autowired RedisTool<String, String> redisTool,
@Autowired CaptchaSettingServiceImpl captchaSettingService,
@Autowired SystemSettingHelper systemSettingHelper) {
FilterRegistrationBean registration = new FilterRegistrationBean();
AfterAuthenticatedProcessingFilter filter = new AfterAuthenticatedProcessingFilter();
filter.setRedisTool(redisTool);
filter.setCaptchaSettingService(captchaSettingService);
filter.setSystemSettingHelper(systemSettingHelper);
registration.setFilter(filter);
registration.setName("afterAuthenticatedProcessingFilter");
registration.setEnabled(false);
return registration;
} and the AfterAuthenticatedProcessingFilter is: public class AfterAuthenticatedProcessingFilter extends GenericFilterBean {
// ignore the implement codes
} but when my application bootstap, an exception was throwed and the root cause is:
so, have anyone seen a similar problem? and could anyone give me some sugguestion? thanks a lot! |
@winters1224 please ask questions on stackoverflow. |
@snicoll OK,thanks. |
@OrangeDog This issue is closed. If you have an enhancement request, please create a new issue. |
When migrating from legacy code (with a lot of XML configuration), it would be great to be able to disable automatic registration of filters and servlets. This is exactly what I'm doing now and I have to disable a lot of filters with FilterRegistrationBean.setEnabled(false) |
@neshtaMedia I believe you could do that with a custom subclass of |
It is quite possible to include a library which is exposing a Filter/Servlet bean. Please introduce a mechanism for exclusion.
Here is the relevant section of code:
org.springframework.boot.context.embedded.ServletContextInitializerBeans#addAdaptableBeans
#2171 is also related to this issue.
The text was updated successfully, but these errors were encountered: