Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AuthenticationWebFilter executes filter chain twice per request #16553

Open
jdolan-chwy opened this issue Feb 7, 2025 · 0 comments
Open

AuthenticationWebFilter executes filter chain twice per request #16553

jdolan-chwy opened this issue Feb 7, 2025 · 0 comments
Labels
status: waiting-for-triage An issue we've not yet triaged

Comments

@jdolan-chwy
Copy link

I've noticed this for some time in my application logs and thought I was just misconfiguring Spring Security WebFlux somehow. But upon closer examination, I think there's a bug in AuthenticationWebFilter that causes this behavior:

spring-security/web/src/main/java/org/springframework/security/web/server/authentication/AuthenticationWebFilter.java

Line 114 in 8e2a4bf

.switchIfEmpty(chain.filter(exchange).then(Mono.empty())) 

        @Override
	public Mono<Void> filter(ServerWebExchange exchange, WebFilterChain chain) {
		return this.requiresAuthenticationMatcher.matches(exchange)
			.filter((matchResult) -> matchResult.isMatch())
			.flatMap((matchResult) -> this.authenticationConverter.convert(exchange))
			.switchIfEmpty(chain.filter(exchange).then(Mono.empty()))
			.flatMap((token) -> authenticate(exchange, chain, token))
			.onErrorResume(AuthenticationException.class, (ex) -> this.authenticationFailureHandler
				.onAuthenticationFailure(new WebFilterExchange(exchange, chain), ex));
	}

The .switchIfEmpty() here is actually assembling the filter chain on downstream subscription, rather than deferring it until it is needed. Shouldn't that line be more like:

.switchIfEmpy(Mono.defer(() -> chain.filter(exchange).then(Mono.empty()))

And, in fact, the method directly below this one uses Mono.defer() for error cases.
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Feb 7, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
status: waiting-for-triage An issue we've not yet triaged
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@spring-projects-issues @jdolan-chwy