Multiple pre-auth filters in Spring Security?
I have a need to have multiple PRE_AUTH Spring Security filters. In particular I need to use a PRE_AUTH filter in addition to the two filters configured as PRE_AUTH in the SAML extension to Spring Security 3.0. The existing SAML configuration follows.
<security:http entry-point-ref="samlEntryPoint">
<!-- snip intercepts -->
<security:custom-filter after="BASIC_AUTH_FILTER" ref="samlProcessingFilter"/>
<security:custom-filter before="PRE_AUTH_FILTER" ref="samlEntryPoint"/>
<security:custom-filter position="PRE_AUTH_FILTER" ref="metadataFilter"/>
<security:custom-filter after="LOGOUT_FILTER" ref="samlLogoutFilter"/>
<security:custom-filter before="LOGOUT_FILTER" ref="samlLogoutProcessingFilter"/>
</security:http>
The additional PRE_AUTH filter would need to be checked before either of the existing filters (ie: a user authenticated with this authentication method should not be given the opportunity to use SAML.
I considered changing it the following way.
<!-- snip -->
<security:custom-filter before="PRE_AUTH_FILTER" ref="newPreAuthFilter"/>
<security:custom-filter position="PRE_AUTH_FILTER" ref="samlEntryPoint"/>
<security:custom-filter after="PRE_AUTH_FILTER" ref="metadataFilter"/>
<!-- snip -->
Would this work, or is a more complicated solution required.
Answer
Very old question, but still relevant. Use the composite filter from spring:
<security:custom-filter before="PRE_AUTH_FILTER" ref="compositeAuthFilter"/>
<bean id="compositeAuthFilter" class="org.springframework.web.filter.CompositeFilter">
<property name="filters">
<list>
<ref bean="airlockAuthFilter"/>
<ref bean="samlEntryPoint"/>
<ref bean="metadataFilter"/>
</list>
</property>
</bean>