Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve Documentation on Adding a Custom Security Filter #15893

Closed
Kjeff24 opened this issue Oct 9, 2024 · 1 comment
Closed

Improve Documentation on Adding a Custom Security Filter #15893

Kjeff24 opened this issue Oct 9, 2024 · 1 comment
Assignees
@jzheaux
Labels
in: docs An issue in Documentation or samples type: enhancement A general enhancement
Milestone
6.4.0

Comments

@Kjeff24
Copy link

Kjeff24 commented Oct 9, 2024

Expected Behavior

The documentation should clarify that when using HttpSecurity#addFilterBefore(), the specified filter will be executed before the target filter in the filter chain, and if the intention is to have the filter run after authentication filters, the documentation should recommend using HttpSecurity#addFilterAfter().

Current Behavior

Currently the documentation states this "By adding the filter before the AuthorizationFilter we are making sure that the TenantFilter is invoked after the authentication filters."
Reference: https://docs.spring.io/spring-security/reference/servlet/architecture.html#adding-custom-filter

Context

The misleading information in the documentation affects developers trying to implement security filters correctly. Many may end up placing filters in the wrong order, leading to tenant-specific logic being executed before authentication is completed.

Possible Fix

Update the documentation to:

  • Use before instead of after in the statement "By adding the filter before the AuthorizationFilter we are making sure that the TenantFilter is invoked after the authentication filters."
  • Clearly explain the purpose of addFilterBefore(), addFilterAfter(), and addFilterAt().
  • Provide examples illustrating the correct usage of these methods in relation to authentication and authorization filters.
@Kjeff24 Kjeff24 added status: waiting-for-triage An issue we've not yet triaged type: enhancement A general enhancement labels Oct 9, 2024
@jzheaux
Copy link
Contributor

jzheaux commented Oct 24, 2024

Thanks for the suggestion, @Kjeff24. I've made several edits based on your recommendations. Once the deployment completes, you should be able to review it at https://docs.spring.io/spring-security/reference/6.4-SNAPSHOT/servlet/architecture.html#adding-custom-filter. Please let me know if you recommend any other changes!

@jzheaux jzheaux added in: docs An issue in Documentation or samples and removed status: waiting-for-triage An issue we've not yet triaged labels Oct 24, 2024
@jzheaux jzheaux self-assigned this Oct 24, 2024
@jzheaux jzheaux added this to the 6.4.0 milestone Oct 24, 2024
@jzheaux jzheaux changed the title Enhancement: Improve Documentation on Adding a Custom Filter to the Filter Chain Improve Documentation on Adding a Custom Security Filter Oct 24, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jzheaux jzheaux

Labels
in: docs An issue in Documentation or samples type: enhancement A general enhancement
Projects
None yet
Milestone
6.4.0
Development

No branches or pull requests
2 participants
@jzheaux @Kjeff24