Spring Security FilterChainProxy is registered automatically as a Filter #2171
Description
Spring Security is exposing a Filter which registered by Spring Boot. This results in a duplicate filter registration and unpredictable behaviour of our application.
Details:
org.springframework.security.config.annotation.web.servlet.configuration.EnableWebMvcSecurity is registering a FilterChainProxy instance bean which is a Filter as this:
@Bean(name=AbstractSecurityWebApplicationInitializer.DEFAULT_FILTER_NAME)
public Filter springSecurityFilterChain() throws Exception {
boolean hasConfigurers = webSecurityConfigurers != null && !webSecurityConfigurers.isEmpty();
if(!hasConfigurers) {
throw new IllegalStateException("At least one non-null instance of "+ WebSecurityConfigurer.class.getSimpleName()+" must be exposed as a @Bean when using @EnableWebSecurity. Hint try extending "+ WebSecurityConfigurerAdapter.class.getSimpleName());
}
return webSecurity.build();
}
I have declared a FilterRegistrationBean a FilterRegistrationBean as here: org.springframework.boot.autoconfigure.security.SpringBootWebSecurityConfiguration#securityFilterChainRegistration
@Bean
@ConditionalOnBean(name = AbstractSecurityWebApplicationInitializer.DEFAULT_FILTER_NAME)
public FilterRegistrationBean securityFilterChainRegistration( ) {
DelegatingFilterProxy delegatingFilterProxy = new DelegatingFilterProxy();
delegatingFilterProxy.setTargetBeanName(AbstractSecurityWebApplicationInitializer.DEFAULT_FILTER_NAME);
FilterRegistrationBean registrationBean = new FilterRegistrationBean(delegatingFilterProxy);
registrationBean.addUrlPatterns("/*");
return registrationBean;
}
This seems a bug to me. Am I missing something?