2.7.0: SecurityFilterChain antMatcher trigger all the filters on not matching route

[sysmat]

Env

• spring:2.7.0 with spring-boot-starter-security, spring-boot-starter-web java 17
• on url path antMatcher /v1/** I have Filter1
• on url path antMatcher /v2/** I have Filter2

error

• when I do http request to curl.exe localhost:8080/v2/123 I see Filter2, Filter1 are triggered
• when I do http request to curl.exe localhost:8080/v1/43 I see Filter1, Filter2 are triggered
• in startup I see registration of filters is ok

[  restartedMain] o.s.s.web.DefaultSecurityFilterChain     : Will secure Ant [pattern='/v1/**'] with [org.springframework.security.web.session.DisableEncodeUrlFilter@1a86246a, org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@78d19287, org.springframework.security.web.context.SecurityContextPersistenceFilter@5e7e41ae, org.springframework.security.web.header.HeaderWriterFilter@771cd726, org.springframework.security.web.csrf.CsrfFilter@66bc9b34, org.springframework.security.web.authentication.logout.LogoutFilter@23a3b549, com.example.demo.FilterV1@720f5a38, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@4b2f8dd1, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@c44f810, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@e58d6e8, org.springframework.security.web.session.SessionManagementFilter@1d31806b, org.springframework.security.web.access.ExceptionTranslationFilter@6ea95506, org.springframework.security.web.access.intercept.FilterSecurityInterceptor@149f132f]
[  restartedMain] o.s.s.web.DefaultSecurityFilterChain     : Will secure Ant [pattern='/v2/**'] with [org.springframework.security.web.session.DisableEncodeUrlFilter@59e3b068, org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@9e1696f, org.springframework.security.web.context.SecurityContextPersistenceFilter@4d4cd988, org.springframework.security.web.header.HeaderWriterFilter@7e807510, org.springframework.security.web.csrf.CsrfFilter@751d0760, org.springframework.security.web.authentication.logout.LogoutFilter@3dfa806b, com.example.demo.FilterV2@47d84948, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@40bd3f4, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@79de1e90, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@770c39d3, org.springframework.security.web.session.SessionManagementFilter@5077e2e1, org.springframework.security.web.access.ExceptionTranslationFilter@4be05dc8, org.springframework.security.web.access.intercept.FilterSecurityInterceptor@1d116d71]

Expected behavior

Filter is triggered only for URL segment whish is defined

Demo

@EnableWebSecurity
public class SecurityConfig {

    @Autowired
    private FilterV1 filterV1;

    @Autowired
    private FilterV2 filterV2;

    @Bean
    @Order(1)
    public SecurityFilterChain filterChainV1(HttpSecurity http) throws Exception {


        http.antMatcher("/v1/**")
            .addFilterBefore(filterV1, UsernamePasswordAuthenticationFilter.class)
            .authorizeRequests().anyRequest().authenticated()
            .and().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);

        return http.build();
    }

    @Bean
    @Order(2)
    public SecurityFilterChain filterChainV2(HttpSecurity http) throws Exception {


        http.antMatcher("/v2/**")
            .addFilterBefore(filterV2, UsernamePasswordAuthenticationFilter.class)
            .authorizeRequests().anyRequest().authenticated()
            .and().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);

        return http.build();
    }

}

demo.zip

[mdeinum]

When Spring Boot detects a servlet filter it automatically registers it with the regular filter chain so each filter will be always executed in this case. As mentioned here in the documentation. If you don't want this to happen, because you want to add them in the security chain, you need to add an explicit FilterRegistrationBean to disable it (as mentioned here).

See also:

• https://stackoverflow.com/questions/39314176/filter-invoke-twice-when-register-as-spring-bean
• https://stackoverflow.com/questions/64241555/spring-boot-filter-called-twice-or-not-called-at-all
• https://stackoverflow.com/questions/24381191/what-is-implication-of-adding-component-to-custom-spring-security-filter
• https://stackoverflow.com/questions/64090329/spring-security-custom-filter-gets-called-multiple-times/64107238#64107238
• https://stackoverflow.com/questions/44775539/why-spring-boot-filter-call-twice/60045285#60045285

For the Spring Boot Team, this keeps popping up quite regularly on StackOverflow as well. Would it make sense to have a marker annotation (something like @SecurityFilter for either on the class or @Bean method) and have it be ignored by the framework from auto registration instead of explicitly having to add a FilterRegistrationBean to disable it?

[wilkinsona]

Thanks, @mdeinum.

For the Spring Boot Team, this keeps popping up quite regularly on StackOverflow as well. Would it make sense to have a marker annotation (something like @SecurityFilter for either on the class or @bean method) and have it be ignored by the framework from auto registration instead of explicitly having to add a FilterRegistrationBean to disable it?

Yes, I think so. #16500 is tracking some sort of enhancement in this area.

[sysmat]

@mdeinum thx, @SecurityFilter or @FilterRegistration(order=200, urlPatterns={"/path/**"}) it would be very nice

[sysmat]

• spring-boot-starter-parent:3.0.3 now none of filters work
• is in this framework such a problem with url path1 apply filter 1, on url path2 apply filter 2

[wilkinsona]

@sysmat I don't see the connection between your latest comment and the rest of this issue. An upgrade to Spring Boot 3.0.3 brings with it an upgrade to Spring Security 6.0. Please check the relevant section of Spring Boot's migration guide and the Spring Security documentation to which it links. If this doesn't help, please open a new issue with a complete yet minimal sample that reproduces the problem.

[sysmat]

@wilkinsona thx for link to migration, but there is nothing of sort braking changes about EnableWebSecurity, SecurityFilterChain, antMatcher, HttpSecurity, OncePerRequestFilter

[sysmat]

• now none of filter are even triggered
• response is still HTTP.status=401
• in HttpSecurity not clear even which matching method should be used

[sysmat]

• HttpSecurity has builder pattern, but in my opinion it has to big public area, for DX is not clear with which method should start configuring it