How Spring Security's built-in filters are maintained

How is the order of built-in filters maintained in Spring Security? I think many developers are interested in this question. In this article, I will discuss this issue with you.

HttpSecurity contains a member variable FilterOrderRegistration and this class is a built-in filter registry. As for the role of these filters, not the focus of this article, interested to see the FilterOrderRegistration source code.

Order of built-in filters

The FilterOrderRegistration maintains a variable filterToOrder that records the order between classes and the interval steps between the top and bottom. We copied a FilterOrderRegistration to visualize the order of the filters.

CopyFilterOrderRegistration filterOrderRegistration = new CopyFilterOrderRegistration();
// 获取内置过滤器  此方法并未提供
Map<String, Integer> filterToOrder = filterOrderRegistration.getFilterToOrder();
TreeMap<Integer, String> orderToFilter = new TreeMap<>();
filterToOrder.forEach((name, order) -> orderToFilter.put(order,name));
orderToFilter.forEach((order,name) -> System.out.println(" 顺序：" + order+" 类名：" + name ));

Output results:

Spring Security

We can see that the position between the built-in filters is relatively fixed, except for the first and second steps of 200 and the other steps of 100.

The built-in filters do not always take effect, they are simply prepositioned and need to be added explicitly via the addFilterXXXX series of methods in HttpSecurity.

Logic for registering filters

FilterOrderRegistration provides a put method.

 void put(Class<? extends Filter> filter, int position) {
  String className = filter.getName();
        // 如果这个类已经注册就忽略
  if (this.filterToOrder.containsKey(className)) {
   return;
  }
        // 如果没有注册就注册顺序。
  this.filterToOrder.put(className, position);
 }

From this approach we can draw several conclusions.

The built-in 34 filters have a fixed serial number and cannot be changed.
The class-qualified name of a newly added filter cannot be duplicated with the built-in filter.
The order of the newly added filters can be duplicated with the order of the built-in filters.

Get the order value of registered filters

FilterOrderRegistration also provides a getOrder method.

Integer getOrder(Class<?> clazz) {
    // 如果类Class 或者 父类Class 名为空就返回null
    while (clazz != null) {
        Integer result = this.filterToOrder.get(clazz.getName());
        // 如果获取到顺序值就返回
        if (result != null) {
            return result;
        }
        // 否则尝试去获取父类的顺序值
        clazz = clazz.getSuperclass();
    }
    return null;
}

HttpSecurity methods for maintaining filters

Next we analyze a few of the methods that HttpSecurity uses to maintain filters.

addFilterAtOffsetOf

addFilterAtOffsetOf is a built-in private method of HttpSecurity. Filter is the filter you want to register to the DefaultSecurityFilterChain, offset is the offset to the right, registeredFilter is the filter already registered to the FilterOrderRegistration, and registeredFilter will throw a null pointer exception if it is not registered.

private HttpSecurity addFilterAtOffsetOf(Filter filter, int offset, Class<? extends Filter> registeredFilter) {
    // 首先会根据registeredFilter的顺序和偏移值来计算filter的
    int order = this.filterOrders.getOrder(registeredFilter) + offset;
    // filter添加到集合中待排序
    this.filters.add(new OrderedFilter(filter, order));
    // filter注册到 FilterOrderRegistration
    this.filterOrders.put(filter.getClass(), order);
    return this;
}

Always remember that registeredFilter must be a Filter that is registered in FilterOrderRegistration.

addFilter series methods

Here is an example of addFilterAfter.

 @Override
 public HttpSecurity addFilterAfter(Filter filter, Class<? extends Filter> afterFilter) {
  return addFilterAtOffsetOf(filter, 1, afterFilter);
 }

addFilterAfter is to place filter one place after afterFilter, if the order of afterFilter is 400, then the order of filter is 401. The addFilterBefore and addFilterAt logic and the addFilterAfter logic are only differences in offset values, so we won’t go over them here.

The addFilter method is special.

@Override
 public HttpSecurity addFilter(Filter filter) {
  Integer order = this.filterOrders.getOrder(filter.getClass());
  if (order == null) {
   throw new IllegalArgumentException("The Filter class " + filter.getClass().getName()
     + " does not have a registered order and cannot be added without a specified order. Consider using addFilterBefore or addFilterAfter instead.");
  }
  this.filters.add(new OrderedFilter(filter, order));
  return this;
 }

The filter must be a Filter that has been registered to FilterOrderRegistration, which means it may be a built-in Filter or it may be a non-built-in Filter previously registered via addFilterBefore, addFilterAt or addFilterAfter.

Here comes the problem

I saw a question earlier, if HttpSecurity registers two Filters with duplicate serial numbers, what will be the order? Let’s look at the ordering mechanism first.

// filters
private List<OrderedFilter> filters = new ArrayList<>(); 
//排序
this.filters.sort(OrderComparator.INSTANCE);

After looking at the OrderComparator source code, it is still sorted by the natural order of numbers, the smaller the number, the higher it is. If the numbers are the same, the smaller the index, the higher it is. That is to say, whoever add to filters first is the first in the same order number.

Reference https://mp.weixin.qq.com/s/EoMkM6-BFoZHgx4c_5T8zw

Table of Contents