Closed davidkron closed 6 years ago
To define custom filters, to remove a core filter from the chain (not recommended), or to otherwise have control over the filter chain, you can specify the filterNames property as a list of strings.
I believe the documentation is correct. Commenting out the filter removes it from the filter chain, but the filter will still be registered.
Is this causing a bug or undesired behavior in your app?
I think an additional note/comment in the documentation would be great, that the term filter chain in this context refers to the spring security filter chain. Usually when I hear the term I instinctively think of the application servers filter chain first.
If it is a bug or not is a matter of opinion. In my opinion, if something is not needed, e.g. rememberMeAuthenticationFilter, it should not be created/registered, since it adds complexity, could produce side effects or pollute the stacktrace.
For example the Spring Boot security autoconfiguration never registers the security filters as beans in the context, but adds them directly to the security filter chain (and only adds this object as a spring bean which gets added as a servlet filter).
I've created PR 549 that I hope will clarify the documentation.
I'll leave this ticket open for a while in case others would like to add to the discussion regarding the registering of filters even when they are not part of the Spring Security filter chain.
Closing. Documentation changes have been reviewed and merged.
From the documentation 16.2. filterNames To define custom filters, to remove a core filter from the chain (not recommended), or to otherwise have control over the filter chain, you can specify the filterNames property as a list of strings.
Expected Behavior
As a developer I would expect that only the filters explicitly defined would be active. Meaning the filters I commented out (logoutFilter, rememberMeAuthenticationFilter, anonymousAuthenticationFilter) will not be registered.
Actual Behavior The commented out filters are still active.
grails-spring-security-core seems to register all filters as Spring Beans, even when they are not needed (not listed in
grails.plugin.springsecurity.filterChain.filterNames
). Since Spring automatically registers all beans which implement theFilter
interface with the filter chain , the configuration option has no effect.All the option seems to do is "move" the specified filters inside the
securityFilterChain
but the filters not included in the option list are still registered.