Why Do JwtTokenProcessingFilter's attemptAuthentication invoke twice in "api/me" request?

Question

Why Do JwtTokenProcessingFilter's attemptAuthentication invoke twice in "api/me" request?

tsaway opened this issue 8 years ago · comments

Hello,
Great tutorial, but I am having question with this module:

public class JwtTokenAuthenticationProcessingFilter extends AbstractAuthenticationProcessingFilter {
    private final AuthenticationFailureHandler failureHandler;
    private final TokenExtractor tokenExtractor;
    
    @Autowired
    public JwtTokenAuthenticationProcessingFilter(AuthenticationFailureHandler failureHandler, 
            TokenExtractor tokenExtractor, RequestMatcher matcher) {
        super(matcher);
        this.failureHandler = failureHandler;
        this.tokenExtractor = tokenExtractor;
    }

    @Override
    public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response)
            throws AuthenticationException, IOException, ServletException {
        String tokenPayload = request.getHeader(WebSecurityConfig.JWT_TOKEN_HEADER_PARAM);
        RawAccessJwtToken token = new RawAccessJwtToken(tokenExtractor.extract(tokenPayload));
          return getAuthenticationManager().authenticate(new JwtAuthenticationToken(token));
    }

    @Override
    protected void successfulAuthentication(HttpServletRequest request, HttpServletResponse response, FilterChain chain,
            Authentication authResult) throws IOException, ServletException {
        SecurityContext context = SecurityContextHolder.createEmptyContext();
        context.setAuthentication(authResult);
        SecurityContextHolder.setContext(context);
       chain.doFilter(request, response);
}

http://localhost:9966/api/me request causes the JwtTokenAuthenticationProcessingFilter to invoke two times； What are the reasons ?
Can you help me with this?

Regards

Vladimir Stanković · Answer 1 · Wed Dec 28 2016 02:43:46 GMT+0800 (China Standard Time)

Hi @tsaway,

Could you please re-test? I have committed change.

The problem was in the following methods and @bean annotation:

com.svlada.security.config.WebSecurityConfig.buildAjaxLoginProcessingFilter()
com.svlada.security.config.WebSecurityConfig.buildJwtTokenAuthenticationProcessingFilter()

I've found that these two filters were registered as a part original and additionalFilters properties inside of FilterChainProxy.

FilterChainProxy 
org.springframework.security.web.FilterChainProxy.VirtualFilterChain.doFilter(ServletRequest, ServletResponse)

ArthurMenezes · Answer 2 · Tue Sep 24 2019 22:08:18 GMT+0800 (China Standard Time)

This behavior is happening with the latest versions of spring-boot-starter-security. Can you tell me why?