Why Do JwtTokenProcessingFilter's attemptAuthentication invoke twice in "api/me" request?
tsaway opened this issue · comments
tsaway commented
Hello,
Great tutorial, but I am having question with this module:
public class JwtTokenAuthenticationProcessingFilter extends AbstractAuthenticationProcessingFilter {
private final AuthenticationFailureHandler failureHandler;
private final TokenExtractor tokenExtractor;
@Autowired
public JwtTokenAuthenticationProcessingFilter(AuthenticationFailureHandler failureHandler,
TokenExtractor tokenExtractor, RequestMatcher matcher) {
super(matcher);
this.failureHandler = failureHandler;
this.tokenExtractor = tokenExtractor;
}
@Override
public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response)
throws AuthenticationException, IOException, ServletException {
String tokenPayload = request.getHeader(WebSecurityConfig.JWT_TOKEN_HEADER_PARAM);
RawAccessJwtToken token = new RawAccessJwtToken(tokenExtractor.extract(tokenPayload));
return getAuthenticationManager().authenticate(new JwtAuthenticationToken(token));
}
@Override
protected void successfulAuthentication(HttpServletRequest request, HttpServletResponse response, FilterChain chain,
Authentication authResult) throws IOException, ServletException {
SecurityContext context = SecurityContextHolder.createEmptyContext();
context.setAuthentication(authResult);
SecurityContextHolder.setContext(context);
chain.doFilter(request, response);
}
http://localhost:9966/api/me request causes the JwtTokenAuthenticationProcessingFilter to invoke two times; What are the reasons ?
Can you help me with this?
Regards
Vladimir Stanković commented
Hi @tsaway,
Could you please re-test? I have committed change.
The problem was in the following methods and @bean annotation:
com.svlada.security.config.WebSecurityConfig.buildAjaxLoginProcessingFilter()
com.svlada.security.config.WebSecurityConfig.buildJwtTokenAuthenticationProcessingFilter()
I've found that these two filters were registered as a part original and additionalFilters properties inside of FilterChainProxy.
FilterChainProxy
org.springframework.security.web.FilterChainProxy.VirtualFilterChain.doFilter(ServletRequest, ServletResponse)
ArthurMenezes commented
This behavior is happening with the latest versions of spring-boot-starter-security. Can you tell me why?