Spring Filters aren't working

Question

Spring Filters aren't working

namitgupta opened this issue 5 years ago · 3 comments

Spring Filters aren't working:

We have built an Azure Function using Azure Spring Boot starter kit. We have a use case wherein we have validate a token in the request header of the incoming request.

We were thinking of implementing a Filter for this. However, the filter is not getting invoked even though we have registered it in the filter chain

Web security configuration:

package com.xxx;

import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter;

@EnableWebSecurity(debug = true) // when you want to see what filters are applied
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

  @Override
  public void configure(HttpSecurity http) throws Exception {
    http.addFilterBefore(new AuthenticationFilter(), WebAsyncManagerIntegrationFilter.class);
  }
}

Authentication Filter:

package com.xxx;

import java.io.IOException;

import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.annotation.WebFilter;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.springframework.web.filter.GenericFilterBean;


@WebFilter(urlPatterns = "/api/*")
public class AuthenticationFilter extends GenericFilterBean {

     @Override
     public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {

      HttpServletRequest request = (HttpServletRequest) servletRequest;
      HttpServletResponse response = (HttpServletResponse) servletResponse;

      System.out.println("This Filter is only called when request is mapped for /customer resource");

      //call next filter in the filter chain
      filterChain.doFilter(request, response);
     }

     @Override
     public void destroy() {

     }

}

Please provide some pointers?

Answer 1 · 2020-05-20T10:48:48.000Z

Functions are different from Servlets, I don't think those could work at all. Have you seen this somewhere in the documentation?

Answer 2 · 2020-05-20T11:23:41.000Z

Hi @jdubois ,
Thanks for your response!

What are the options at hand for such a scenario?

Regards,
Namit

Answer 3 · 2020-05-20T13:27:21.000Z

Hi @namitgupta :

If you haven't seen it in a documentation, then I can confirm: this isn't going to work with Spring Security. This isn't a model based on Servlets, and also serverless functions do not work the same way as a classical Spring Boot application does (you won't have a session, and even less sticky sessions).
Here are some good pointers at the end of this article: https://dev.to/protego/azure-functions-security-best-practices-5og
I'm closing this as it's not a bug in the sample app, more of a general question -> I would rather discuss this on StackOverflow using the correct tags, as we would have more contributions, and also it would be available to more people