Uploaded image for project: 'Shiro'
  1. Shiro
  2. SHIRO-792

ShiroWebFilterConfiguration seems to conflict with other FilterRegistrationBean

    XMLWordPrintableJSON

Details

    Description

      I'm using shiro-spring-boot-web-starter 1.6.0 within a web application developed with Spring Boot v2.3.2.RELEASE.

      When I add one or more filters to the application using @Bean/FilterRegistrationBean (example below), the Shiro filter is not properly loaded anymore, and all requests that depend on SecurityUtils to be fulfilled start to fail.

      @Bean
      public FilterRegistrationBean<LogoutFilter> logoutFilter() {
      
        final FilterRegistrationBean<LogoutFilter> registrationBean = new FilterRegistrationBean<>();
        registrationBean.addUrlPatterns("/security/logout");
        registrationBean.setFilter(new LogoutFilter());
        registrationBean.setName("logoutFilter");
        return registrationBean;
      }
      

      I ran some tests to figure out what's going on and it turns out the @ConditionalOnMissingBean used to annotate filterShiroFilterRegistrationBean() here seems to be the culprit: the condition evaluates to false when there are more FilterRegistrationBean's annotated with @ConditionalOnMissingBean in the application, so the method is not called, and hence the Shiro filter is not loaded.

      As a workaround, I've added the below configuration to override the standard one and now everything works fine:

      @Configuration
      public class ShiroWebFilterConfig extends AbstractShiroWebFilterConfiguration {    
      
        @Bean
        protected FilterRegistrationBean<AbstractShiroFilter> shiroFilter() throws Exception {
      
          final FilterRegistrationBean<AbstractShiroFilter> registrationBean = new FilterRegistrationBean<>();
          registrationBean.setDispatcherTypes(DispatcherType.REQUEST, DispatcherType.FORWARD, DispatcherType.INCLUDE, DispatcherType.ERROR);
          registrationBean.setFilter((AbstractShiroFilter) shiroFilterFactoryBean().getObject());
          registrationBean.setOrder(1);
          return registrationBean;
        }
      }
      

      Maybe it's worth adding a name or type element to @ConditionalOnMissingBean in order to provide a more robust solution. Makes sense?

      Kind regards, Ricardo.

      Attachments

        Issue Links

          Activity

            People

              fpapon Francois Papon
              ricardomendes Ricardo Mendes
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0h
                  0h
                  Logged:
                  Time Spent - 3h
                  3h