在安全的 Spring Boot Webflux 应用程序中调用了两次 WebFilter bean

Question

I am using Spring Boot 2.1.x with webflux and security. I define some beans of type AuthenticationWebFilter that are added to the MatcherSecurityWebFilterChain . The problem is that since they are defined as beans, they are also added at the end of the filter chain so they are executed twice.

For Servlet applications we could use FilterRegistrationBean to avoid this:

@Bean
    fun someFilterRegistrationBean() {
        val frb = FilterRegistrationBean(xxx)
        frb.setEnabled(false)
        return frb
    }

What would be the equivalent for reactive applications?

Answer 1

In my case, I have to execute a custom logic stored in TestGatewayFilter to modify ServerWebExchange object at the end in SecurityWebFilterChain. If we create a bean of TestGatewayFilter and let spring process it, we find that filter logic is invoked twice per request.
I researched but didn't find a way to define FilterRegistrationBean in spring-webflux-security but found a different approach to the same while debugging.

As a workaround, I created a custom bean of SecurityWebFilterChain and injected the filter at the end of the chain. To prevent the spring from injecting this filter twice, we remove the logic to create a bean of it. Now, the filter logic is getting invoked once per request.

public class TestGatewayFilter implements WebFilter {
    @Override
    public Mono<Void> filter(ServerWebExchange exchange, WebFilterChain chain) {
        // To-Do logic
    }
}

@Bean
public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
    http.addFilterAfter(new TestGatewayFilter(), SecurityWebFiltersOrder.AUTHORIZATION)
            .authorizeExchange()
            .anyExchange().authenticated();
    return http.build();
}

In this I have used addFilterAfter () method to add my filter after the last filter to be executed in chain.

ServerHttpSecurity class provides 2 more methods to add a filter before another filter or at a specific location in the chain. They take the same set of arguments taken by addFilterAfter() method and can be used in similar way:

addFilterBefore()
addFilterAt()

While debugging, this is the filter execution order in SecurityWebFilterChain:

1. ServerWebExchangeReactorContextWebFilter
2. HttpHeaderWriterWebFilter
3. CorsWebFilter
4. ReactorContextWebFilter
5. AuthenticationWebFilter
6. SecurityContextServerWebExchangeWebFilter
7. ServerRequestCacheWebFilter
8. LogoutWebFilter
9. ExceptionTranslationWebFilter
10. AuthorizationWebFilter
11. TestGatewayFilter

Answer 2

I my case I've created custom TokenExchangeFilter that implements org.springframework.web.server.WebFilter as a spring @Bean . Then I've tried to use it via @Autowire while configuring web flux security filter chain.

  @Bean
  SecurityWebFilterChain springWebFilterChain(ServerHttpSecurity http) {
    http
        // ...
        .and()
          .addFilterAfter(tokenExchangeFilter, SecurityWebFiltersOrder.AUTHENTICATION);
    return http.build();
  }

That way spring would use it twice. To solve it I've instantiated TokenExchangeFilter manually in place (made TokenExchangeFilter not a spring bean).

  @Bean
  SecurityWebFilterChain springWebFilterChain(ServerHttpSecurity http) {
    http
        // ...
        .and()
          .addFilterAfter(new TokenExchangeFilter(authClientService), SecurityWebFiltersOrder.AUTHENTICATION);

    return http.build();
  }