Provide a mechanism to easily register a custom RequestDataValueProcessor

[SnakeSVx]

We are in the process of switching a regular spring application over to spring-boot, but we hit a small problem while transfering to spring-boot.

We have defined a Custom RequestDataValueProcessor which is being overriden by spring-security.

In our own application, before using spring-boot, we were able to overcome this problem by defining this bean in a different location. The problem we are facing now is that spring-boot executes certain configurations at a later time, which makes it impossible for us to override the behaviour again.

In our console log we see a message like this:

2015-12-04 10:49:28.120  INFO 7584 --- [           main] o.s.b.f.s.DefaultListableBeanFactory     : Overriding bean definition for bean 'requestDataValueProcessor' with a different definition: replacing [Root bean: class [null]; scope=; abstract=false; lazyInit=false; autowireMode=3; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=demoApplication; factoryMethodName=requestDataValueProcessor; initMethodName=null; destroyMethodName=(inferred); defined in com.example.DemoApplication] with [Root bean: class [null]; scope=; abstract=false; lazyInit=false; autowireMode=3; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=org.springframework.security.config.annotation.web.configuration.WebMvcSecurityConfiguration; factoryMethodName=requestDataValueProcessor; initMethodName=null; destroyMethodName=(inferred); defined in class path resource [org/springframework/security/config/annotation/web/configuration/WebMvcSecurityConfiguration.class]] 

I have added a simple demo application where you can see this behaviour.
The href on the anchor(a) tag on the index page should contain "OVERRIDEN ACTION" instead of the default "/" that was defined in the page itself.

For this example spring-security is enabled, the username="user", the password is generated in the console.

[SnakeSVx]

Demo file, since github would not let me upload it.
https://www.wetransfer.com/downloads/f9350a835f6573eb7788ff6cd164f82720151204100358/1017bee3b9dc37c09a54320db35e437c20151204100358/60f3ba

[philwebb]

One way that might work is to use a BeanDefinitionRegistryPostProcessor. Try replacing the requestDataValueProcessor @Bean method in your config with this:

    @Bean
    public static BeanDefinitionRegistryPostProcessor requestDataValueProcessorPostProcessor() {
        return new BeanDefinitionRegistryPostProcessor() {

            @Override
            public void postProcessBeanFactory(ConfigurableListableBeanFactory beanFactory) throws BeansException {
            }

            @Override
            public void postProcessBeanDefinitionRegistry(BeanDefinitionRegistry registry) throws BeansException {
                registry.removeBeanDefinition("requestDataValueProcessor");
                registry.registerBeanDefinition("requestDataValueProcessor",
                        new RootBeanDefinition(CustomRequestDataValueProcessor.class));
            }

        };
    }

[philwebb]

@rstoyanchev @rwinch Is there a better way to do this?

[rwinch]

This is related to SEC-3063. The current mechanism for overriding the requestDataValueProcessor Bean is to ensure that the Bean is defined in the class annotated with @EnableWebSecurity. This ensures that Spring Security's requestDataValueProcessor is created first and thus overridden.

I'd actually be interested if @rstoyanchev has a better approach to Spring Security providing a default RequestDataPostProcessor.

[rstoyanchev]

@SnakeSVx can you clarify the purpose of your custom RequestDataValueProcessor? In other words is the intent to replace/customize the CsrfRequestDataValueProcessor from Spring Security? Do you want them both to work? Or do you not care if CsrfRequestDataValueProcessor is there or not?

[SnakeSVx]

@rstoyanchev At the moment we are using our custom RequestDataValueProcessor for rewriting url's to make sure they are compatible with our proxy configuration and to replace certain keywords in url's to go to external url's. At the moment we are also not using the CsrfRequestDataValueProcessor (but if we ever do it seems easy enough for us to just extend it or write our own RequestDataValueProcessor that combines the two). So we don't need to have them both working at the same time.

One thing we currently are trying out (and so far seems to be working) is using auto-configuration to register our own RequestDataValueProcessor after the SecurityAutoConfiguration has run.

But since we are not sure if this will keep working in future versions, it would always be nice to know if this is the way to go, or if an easier (preferably integrated spring-boot) solution would be possible.

[wilkinsona]

so far seems to be working) is using autoconfiguration to register our own RequestDataValueProcessor after the SecurityAutoConfiguration has run.

Given the way things are at the moment, that's a good approach. I assume you're using @AutoConfigureAfter to get the ordering right? We use this sort of ordering in numerous places so it's safe to assume that it'll work for the foreseeable future.

I agree it'd be nice to have an "official" way to do this. Using @EnableWebSecurity isn't ideal in a Boot app as it'll switch off some of Boot's Security auto-configuration.

[SnakeSVx]

Yes, at the moment we are using 2 conditionals. The first checks if the CsrfRequestDataValueProcessor is on the classpath, the second one is used to make sure we only auto-configure after SecurityAutoConfiguration.

[rstoyanchev]

What about adding @Primary as suggested in https://jira.spring.io/browse/SEC-3062?