Description
I think the spring-boot-security is not consistent with a spring-web in terms of filters
The situation:
I have a common-lib, which contains 2 filters I use across 4 projects
I have 3 common services and 1 gateway service with a spring security
Filters are annotated with @ Component and @ Order annotations. They are autoregistered in all applications and it is fine.
However for the project with a security I want to have a control over the order. (My case: run filters before BasicAuthenticationFilter). It is not possible to do with @ Order annotation. BasicAuthenticationFilter runs always BEFORE custom filters, even if the order of custom filters is negative.
Well then I think, OK, my filters implement OncePerRequestFilter, it means if I register them explicitly in security configuration
http.addFilterBefore(new SwaggerAuthFilter(authService), BasicAuthenticationFilter.class);
then it will override the autoregistered order. However the very strange thing happens, now they are executed twice.
The enhancement I want to suggest is next:
Create a transparent config which will accept
(req, resp) -> {
filter1(..
filter2(..
interceptor1(..
interceptor2(..
apiHandler(req, resp)
)
)
)
}
because now the filterchain is a highest class of magic, and it is very hard to understand the entire chain