Running code before SpringSecurityFilterChain was a problem we faced while implementing a huge project in Spring. For example, our logger filter would not log security redirections (like redirecting to auth/login). After a little digging, I found out following bean registration code:

    @Bean
    public FilterRegistrationBean registerCorsFilter(CORSFilter filter) {
        FilterRegistrationBean reg = new FilterRegistrationBean(filter);
        reg.setOrder(4);
        return reg;
    }

This method, when inserted in the configuration class (which is annotated with @Configuration), defines the order in which filters will run. But, we couldn’t register SpringSecurityFilterChain like this, because a similar order was defined in this commit to the framework. As stated in the commit, we can change the order in application.properties file easily:

security.filter-order=5

After this simple configuration, filters which have order up to 5 run before SpringSecurityFilterChain:

    @Bean
    public FilterRegistrationBean registerRequestLogFilter(RequestLogFilter filter) {
        FilterRegistrationBean reg = new FilterRegistrationBean(filter);
        reg.setOrder(3);
        return reg;
    }

    @Bean
    public FilterRegistrationBean registerCorsFilter(CORSFilter filter) {
        FilterRegistrationBean reg = new FilterRegistrationBean(filter);
        reg.setOrder(4);
        return reg;
    }