Add nested custom filters in Spring Security filterchain

Question

I created two filters to perform authentication with the JWT Token. I would like to handle a JWT exception in the first one: exceptionTokenVerificationHandlerFilter and check if all is OK within the second: jwtTokenFilter. If authentication fails because of the expiration date, the process back to the first filter and sends a response to the front with an access denied message.

I used this answer as support for my app : https://github.com/szerhusenBC/jwt-spring-security-demo/issues/63#issuecomment-377012514

My classes :

WebSecurityConfig

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .httpBasic().disable()
            .addFilterBefore(exceptionTokenVerificationHandlerFilter, JwtTokenFilter.class)
            .addFilterBefore(jwtTokenFilter, UsernamePasswordAuthenticationFilter.class)
            .sessionManagement()
            .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
                .and()
            .cors().and()
            .csrf().disable()
            .authorizeRequests() // .antMatchers("/**")
                .antMatchers("/login/**", "/register/**").permitAll()
                .antMatchers("/admin/**").hasRole("ADMIN")      
                .anyRequest().authenticated()
                .and()
            //.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());
            .addFilterAt(customUsernamePasswordAuthenticationFilter, UsernamePasswordAuthenticationFilter.class)    
            /*.formLogin()
                .loginPage("http://localhost:4200/login")//.failureUrl("/login-error")
                .loginProcessingUrl("/login") 
                .usernameParameter("email")
                .successHandler(customAuthenticationSuccessHandler)
                .and()*/
            .logout() 
                .permitAll();
    }    

ExceptionTokenVerificationHandlerFilter

package app.shellx.security;

import java.io.IOException;

import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.springframework.context.annotation.Configuration;
import org.springframework.http.HttpStatus;
import org.springframework.web.filter.OncePerRequestFilter;

import com.fasterxml.jackson.core.JsonProcessingException;
import com.fasterxml.jackson.databind.ObjectMapper;

import io.jsonwebtoken.JwtException;

@Configuration
public class ExceptionTokenVerificationHandlerFilter extends OncePerRequestFilter {

    @Override
    public void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
        try {
            filterChain.doFilter(request, response);
        } catch (JwtException e) {

            String message;

            switch(e.getClass().getName()) {
            case "ExpiredJwtException":
                message = "token-expired";
            break;
            default:
                message = e.getMessage();
            break;
            }

            response.setStatus(HttpStatus.BAD_REQUEST.value());
            response.getWriter().write(convertObjectToJson(message));
    }
}

    private String convertObjectToJson(Object object) throws JsonProcessingException {
        if (object == null) {
            return null;
        }
        ObjectMapper mapper = new ObjectMapper();
        return mapper.writeValueAsString(object);
    }

}

JwtTokenFilter

package app.shellx.security;

import java.io.IOException;

import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;

import org.springframework.context.annotation.Configuration;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.web.filter.GenericFilterBean;

@Configuration
public class JwtTokenFilter extends GenericFilterBean {

    private JwtTokenProvider jwtTokenProvider;

    public JwtTokenFilter(JwtTokenProvider jwtTokenProvider) {
        this.jwtTokenProvider = jwtTokenProvider;
    }

    @Override
    public void doFilter(ServletRequest req, ServletResponse res, FilterChain filterChain) throws IOException, ServletException {
        String token = jwtTokenProvider.resolveToken((HttpServletRequest) req);
        if (token != null && jwtTokenProvider.validateToken(token)) {
            Authentication auth = token != null ? jwtTokenProvider.getAuthentication(token) : null;
            SecurityContextHolder.getContext().setAuthentication(auth);
        }
        filterChain.doFilter(req, res);
    }
}

So can I add in the filterchain two custom filters one after the other ?

I receive at the moment the following error message from compilator :

Caused by: java.lang.IllegalArgumentException: Cannot register after unregistered Filter class app.shellx.security.JwtTokenFilter

Answer 1

I solved myself the problem by using @Order annotation on both filter classes. @Order(1) for ExceptionTokenVerificationHandlerFilter and @Order(2) for JwtTokenFilter .

I also changed second parameter of the first addFilterBefore() by UsernamePasswordAuthenticationFilter.class It seems that we can't put a custom filter as the second parameter in this method.