New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Adding filters relative to custom ones is broken #9787
Comments
As a temporary workaround, it looks like specifying the same So until this is resolved, the below code should work http.addFilterAfter(new SpringRelativeFilter(), SecurityContextHolderAwareRequestFilter.class)
.addFilterAfter(new CustomRelativeFilter(), SecurityContextHolderAwareRequestFilter.class); |
same here with Keycloak spring security adapter |
The Keycloak spring security adapter can be fixed using the workaround from @austinarbor. |
sure, I wanted to point out the importance of the bug |
Found this issue after running a CI test build with Spring Boot 2.5.0 and all our security filter related tests failed. Resolving was as per @austinarbor to only use Filters that come pre-supplied. From .addFilterAfter(new DeviceAuthenticationFilter(authenticationManager), BasicAuthenticationFilter.class)
.addFilterBefore(wrappingFilter, DeviceAuthenticationFilter.class) to .addFilterAfter(new DeviceAuthenticationFilter(authenticationManager), BasicAuthenticationFilter.class)
.addFilterAfter(wrappingFilter, BasicAuthenticationFilter.class) Executing in JDK 15 also give more info about the specifics of the NPE, but nothing that @whcrow hasn't already supplied Of the other 100's of tests no others failed, so testamount to the excellent Spring devs that this is only issue experienced after such a big change. |
@Stexxen |
Some here by using the KeycloakWebSecurityConfigurerAdapter and updating to Spring Boot 2.5.0 with its Spring Security 5.5 transitive dependency. |
An issue has been opened on Keycloak side too: https://issues.redhat.com/browse/KEYCLOAK-18283 |
Added a pull request for fixing this issue #9832 |
Culprit: a31a855. That commit includes tests, but none of those tests operate on custom filters — so only filters "hardcoded" in FilterOrderRegistration will work as anchors for configuring before/after filters. However, custom filters are never added into the backing Line 143 in 68f91ed
Lines 2653 to 2657 in 68f91ed
|
Created a PR with
P.S. |
Thanks to everyone that contributed to this issue. The fix was merged into the @selfenergy, @whcrow, @austinarbor, @z0mb1ek, would you please test those changes in your applications by using the |
@marcusdacoregio works like a charm, thx |
works with 5.5.1-SNAPSHOT, Thanks 👏 |
@marcusdacoregio Works perfekt. Can also confirm that both filter are called in the correct order. |
@marcusdacoregio: works with 5.5.1-SNAPSHOT connected to Keycloak |
Hi, I've discovered what seems like a very similar error case to this one that hasn't been addressed yet (as far as I know). It happens when adding ONLY a custom filter using the addFilterAfter method, the NPE is the same as before this fix. For example, if you comment the first filter on @ngergs little project you'd get that. Any help with this? Thanks a lot and regards. |
Hi, @bgarciaentornos.
If you comment that line of code, the first filter will never get registered, therefore the NPE is expected in this scenario. If you think it is really a bug, please create a minimal, reproducible sample and open a new issue. Thank you! |
Yep, sorry, it wasn't exactly like that. Our case is with a OAuth2ClientContextFilter being registered as a Bean. We're going to check it again and open an issue if we find it reproducible. Thanks for your help. |
Describe the bug
Adding a filter relative (before/after) to a custom defined filter added previously does not work since spring security 5.5.0.
To Reproduce
Clone this minimal example project. Run
and see that it breaks (works when downgrading spring boot to 2.4.5).
Relevant code lines:
Expected behavior
Adding filters relative to custom defined ones should work.
Sample
minimal example project
If this is indeed a bug and you are interested I would offer to prepare a PR to adjust the behaviour :)
Related: gh-9633
The text was updated successfully, but these errors were encountered: