search

grails / grails-spring-security-core

Grails Spring Security Core Plugin
Apache License 2.0
260 stars 223 forks source link

Configuration "filterNames" not working as expected: removal of filters not possible #548

Closed davidkron closed 6 years ago

davidkron commented 6 years ago

From the documentation 16.2. filterNames To define custom filters, to remove a core filter from the chain (not recommended), or to otherwise have control over the filter chain, you can specify the filterNames property as a list of strings.

Expected Behavior

grails.plugin.springsecurity.filterChain.filterNames = [
        'securityRequestHolderFilter',
        'securityContextPersistenceFilter',
//        'logoutFilter',
        'authenticationProcessingFilter',
        'securityContextHolderAwareRequestFilter',
//        'rememberMeAuthenticationFilter',
//        'anonymousAuthenticationFilter',
        'exceptionTranslationFilter',
        'filterInvocationInterceptor'
]

As a developer I would expect that only the filters explicitly defined would be active. Meaning the filters I commented out (logoutFilter, rememberMeAuthenticationFilter, anonymousAuthenticationFilter) will not be registered.

Actual Behavior The commented out filters are still active.

grails-spring-security-core seems to register all filters as Spring Beans, even when they are not needed (not listed in grails.plugin.springsecurity.filterChain.filterNames). Since Spring automatically registers all beans which implement the Filter interface with the filter chain , the configuration option has no effect.

All the option seems to do is "move" the specified filters inside the securityFilterChain but the filters not included in the option list are still registered.

ddelponte commented 6 years ago

To define custom filters, to remove a core filter from the chain (not recommended), or to otherwise have control over the filter chain, you can specify the filterNames property as a list of strings.

I believe the documentation is correct. Commenting out the filter removes it from the filter chain, but the filter will still be registered.

Is this causing a bug or undesired behavior in your app?

davidkron commented 6 years ago

I think an additional note/comment in the documentation would be great, that the term filter chain in this context refers to the spring security filter chain. Usually when I hear the term I instinctively think of the application servers filter chain first.

If it is a bug or not is a matter of opinion. In my opinion, if something is not needed, e.g. rememberMeAuthenticationFilter, it should not be created/registered, since it adds complexity, could produce side effects or pollute the stacktrace.

For example the Spring Boot security autoconfiguration never registers the security filters as beans in the context, but adds them directly to the security filter chain (and only adds this object as a spring bean which gets added as a servlet filter).

ddelponte commented 6 years ago

I've created PR 549 that I hope will clarify the documentation.

I'll leave this ticket open for a while in case others would like to add to the discussion regarding the registering of filters even when they are not part of the Spring Security filter chain.

ddelponte commented 6 years ago

Closing. Documentation changes have been reviewed and merged.