Uploaded image for project: 'Shiro'
  1. Shiro
  2. SHIRO-792

ShiroWebFilterConfiguration seems to conflict with other FilterRegistrationBean

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 1.6.0
    • Fix Version/s: 1.7.0, 2.0.0
    • Component/s: Integration: Spring
    • Labels:
      None

      Description

      I'm using shiro-spring-boot-web-starter 1.6.0 within a web application developed with Spring Boot v2.3.2.RELEASE.

      When I add one or more filters to the application using @Bean/FilterRegistrationBean (example below), the Shiro filter is not properly loaded anymore, and all requests that depend on SecurityUtils to be fulfilled start to fail.

      @Bean
      public FilterRegistrationBean<LogoutFilter> logoutFilter() {
      
        final FilterRegistrationBean<LogoutFilter> registrationBean = new FilterRegistrationBean<>();
        registrationBean.addUrlPatterns("/security/logout");
        registrationBean.setFilter(new LogoutFilter());
        registrationBean.setName("logoutFilter");
        return registrationBean;
      }
      

      I ran some tests to figure out what's going on and it turns out the @ConditionalOnMissingBean used to annotate filterShiroFilterRegistrationBean() here seems to be the culprit: the condition evaluates to false when there are more FilterRegistrationBean's annotated with @ConditionalOnMissingBean in the application, so the method is not called, and hence the Shiro filter is not loaded.

      As a workaround, I've added the below configuration to override the standard one and now everything works fine:

      @Configuration
      public class ShiroWebFilterConfig extends AbstractShiroWebFilterConfiguration {    
      
        @Bean
        protected FilterRegistrationBean<AbstractShiroFilter> shiroFilter() throws Exception {
      
          final FilterRegistrationBean<AbstractShiroFilter> registrationBean = new FilterRegistrationBean<>();
          registrationBean.setDispatcherTypes(DispatcherType.REQUEST, DispatcherType.FORWARD, DispatcherType.INCLUDE, DispatcherType.ERROR);
          registrationBean.setFilter((AbstractShiroFilter) shiroFilterFactoryBean().getObject());
          registrationBean.setOrder(1);
          return registrationBean;
        }
      }
      

      Maybe it's worth adding a name or type element to @ConditionalOnMissingBean in order to provide a more robust solution. Makes sense?

      Kind regards, Ricardo.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                fpapon Francois Papon
                Reporter:
                ricardomendes Ricardo Mendes
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0h
                  0h
                  Logged:
                  Time Spent - 3h
                  3h