Skip to content

Override OncePerRequestFilter#getAlreadyFilteredAttributeName in AuthenticationFilter #17186

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Override OncePerRequestFilter#getAlreadyFilteredAttributeName in AuthenticationFilter #17186

wants to merge 1 commit into from

Conversation

therepanic
Copy link
Contributor

This change will enable us to use multiple AuthenticationFilter.

Fix: #17173

@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label May 29, 2025
@jgrandja jgrandja self-assigned this May 29, 2025
@jgrandja jgrandja added type: bug A general bug in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) and removed status: waiting-for-triage An issue we've not yet triaged labels May 29, 2025
jgrandja
jgrandja reviewed May 29, 2025
View reviewed changes
web/src/main/java/org/springframework/security/web/authentication/AuthenticationFilter.java Outdated
@@ -222,4 +223,9 @@ private Authentication attemptAuthentication(HttpServletRequest request, HttpSer
return authenticationResult;
}

@Override
protected String getAlreadyFilteredAttributeName() {
return getClass().getName() + ".FILTERED";
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@therepanic This does not solve the issue as 2 instances of AuthenticationFilter in the chain would return the same value from getAlreadyFilteredAttributeName(), resulting in the 2nd AuthenticationFilter never being called.

Please adjust and add a test that demonstrates the fix.

Copy link
Contributor Author

@therepanic therepanic May 29, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I apologize for not accurately solving the problem. We do want each AuthenticationFilter instance to be honored in the chain. What I did I guess won't work if the filters are the same and added to the chain. Then I guess we need to use something like identityHashCode for getAlreadyFilteredAttributeName()? I just want to make sure it's right for us. Thanks.

@therepanic
Copy link
Contributor Author

therepanic commented May 30, 2025
edited
Loading

I made the changes you asked for. Including adding a test.

Before the changes, this test failing because converter2 is not called. With the changes this text runs as it should.

@therepanic therepanic requested a review from jgrandja May 30, 2025 13:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jgrandja jgrandja Awaiting requested review from jgrandja

Assignees

@jgrandja jgrandja

Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) type: bug A general bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

DPoP filter is ignored when another AuthenticationFilter is present
3 participants
@therepanic @jgrandja @spring-projects-issues