SEC-632: Explicit filter chain ordering is now achieved using "after" or "before". Setting the order value directly in the context is fragile due to potential future changes in the order values of standard filters.

core/src/main/java/org/springframework/security/config/OrderedFilterBeanDefinitionDecorator.java

@@ -1,5 +1,7 @@
 package org.springframework.security.config;
 
+import org.springframework.security.util.FieldUtils;
+import org.springframework.security.ui.FilterChainOrder;
 import org.springframework.beans.factory.xml.BeanDefinitionDecorator;
 import org.springframework.beans.factory.xml.ParserContext;
 import org.springframework.beans.factory.config.BeanDefinitionHolder;
@@ -8,6 +10,7 @@ import org.springframework.beans.factory.support.RootBeanDefinition;
 import org.springframework.core.Ordered;
 import org.springframework.util.StringUtils;
 import org.springframework.util.Assert;
+import org.springframework.util.ReflectionUtils;
 
 import org.w3c.dom.Node;
 import org.w3c.dom.Element;
@@ -30,11 +33,13 @@ import java.io.IOException;
  */
 public class OrderedFilterBeanDefinitionDecorator implements BeanDefinitionDecorator {
 
-    public static final String ATT_ORDER = "order";
+    public static final String ATT_AFTER = "after";
+    public static final String ATT_BEFORE = "before";
 
     public BeanDefinitionHolder decorate(Node node, BeanDefinitionHolder holder, ParserContext parserContext) {
         Element elt = (Element)node;
-        String order = elt.getAttribute(ATT_ORDER);
+        String order = getOrder(elt, parserContext);
+
         BeanDefinition filter = holder.getBeanDefinition();
         BeanDefinition wrapper = new RootBeanDefinition(OrderedFilterDecorator.class);
         wrapper.getConstructorArgumentValues().addIndexedArgumentValue(0, holder.getBeanName());
@@ -47,6 +52,24 @@ public class OrderedFilterBeanDefinitionDecorator implements BeanDefinitionDecor
         return new BeanDefinitionHolder(wrapper, holder.getBeanName());
     }
 
+    /**
+     * Attempts to get the order of the filter by parsing the 'before' or 'after' attributes.
+     */
+    private String getOrder(Element elt, ParserContext pc) {
+        String after = elt.getAttribute(ATT_AFTER);
+        String before = elt.getAttribute(ATT_BEFORE);
+
+        if (StringUtils.hasText(after)) {
+            return FilterChainOrder.getOrder(after).toString();
+        }
+
+        if (StringUtils.hasText(before)) {
+            return FilterChainOrder.getOrder(before).toString();
+        }
+
+        return null;
+    }
+
     static class OrderedFilterDecorator implements Filter, Ordered {
         private Integer order = null;
         private Filter delegate;
@@ -72,7 +95,7 @@ public class OrderedFilterBeanDefinitionDecorator implements BeanDefinitionDecor
         public final int getOrder() {
             if(order == null) {
                 Assert.isInstanceOf(Ordered.class, "Filter '"+ beanName +"' must implement the 'Ordered' interface " +
-                        " or you must specify an order in <user-filter>");
+                        " or you must specify one of the attributes 'after' or 'before' in <user-filter>");
 
                 return ((Ordered)delegate).getOrder();
             }

core/src/main/java/org/springframework/security/providers/anonymous/AnonymousProcessingFilter.java

@@ -122,7 +122,7 @@ public class AnonymousProcessingFilter  extends SpringSecurityFilter  implements
 	}
 
 	public int getOrder() {
-        return FilterChainOrder.ANON_PROCESSING_FILTER;
+        return FilterChainOrder.ANONYMOUS_FILTER;
 	}
 
     public String getKey() {

core/src/main/java/org/springframework/security/securechannel/ChannelProcessingFilter.java

@@ -139,6 +139,6 @@ public class ChannelProcessingFilter extends SpringSecurityFilter implements Ini
     }
 
     public int getOrder() {
-        return FilterChainOrder.CHANNEL_PROCESSING_FILTER;
+        return FilterChainOrder.CHANNEL_FILTER;
     }
 }

core/src/main/java/org/springframework/security/ui/FilterChainOrder.java

@@ -1,6 +1,10 @@
 package org.springframework.security.ui;
 
 import org.springframework.core.Ordered;
+import org.springframework.util.Assert;
+
+import java.util.Map;
+import java.util.LinkedHashMap;
 
 /**
  * Stores the default order numbers of all Spring Security filters for use in configuration.
@@ -17,20 +21,52 @@ public abstract class FilterChainOrder {
     private static final int INTERVAL = 100;
     private static int i = 1;
 
-    public static final int CHANNEL_PROCESSING_FILTER   = FILTER_CHAIN_FIRST;
+    public static final int CHANNEL_FILTER              = FILTER_CHAIN_FIRST;
     public static final int CONCURRENT_SESSION_FILTER   = FILTER_CHAIN_FIRST + INTERVAL * i++;
     public static final int HTTP_SESSION_CONTEXT_FILTER = FILTER_CHAIN_FIRST + INTERVAL * i++;
     public static final int LOGOUT_FILTER               = FILTER_CHAIN_FIRST + INTERVAL * i++;
+    public static final int X509_FILTER                 = FILTER_CHAIN_FIRST + INTERVAL * i++;
     public static final int PRE_AUTH_FILTER             = FILTER_CHAIN_FIRST + INTERVAL * i++;
     public static final int CAS_PROCESSING_FILTER       = FILTER_CHAIN_FIRST + INTERVAL * i++;
-    public static final int AUTH_PROCESSING_FILTER      = FILTER_CHAIN_FIRST + INTERVAL * i++;
+    public static final int AUTHENTICATION_PROCESSING_FILTER = FILTER_CHAIN_FIRST + INTERVAL * i++;
     public static final int LOGIN_PAGE_FILTER           = FILTER_CHAIN_FIRST + INTERVAL * i++;
     public static final int BASIC_PROCESSING_FILTER     = FILTER_CHAIN_FIRST + INTERVAL * i++;
-    public static final int SECURITY_CONTEXT_HOLDER_AWARE_FILTER = FILTER_CHAIN_FIRST + INTERVAL * i++;
+    public static final int SERVLET_API_SUPPORT_FILTER = FILTER_CHAIN_FIRST + INTERVAL * i++;
     public static final int REMEMBER_ME_FILTER          = FILTER_CHAIN_FIRST + INTERVAL * i++;
-    public static final int ANON_PROCESSING_FILTER      = FILTER_CHAIN_FIRST + INTERVAL * i++;
+    public static final int ANONYMOUS_FILTER = FILTER_CHAIN_FIRST + INTERVAL * i++;
     public static final int EXCEPTION_TRANSLATION_FILTER = FILTER_CHAIN_FIRST + INTERVAL * i++;
     public static final int NTLM_FILTER                 = FILTER_CHAIN_FIRST + INTERVAL * i++;
     public static final int FILTER_SECURITY_INTERCEPTOR = FILTER_CHAIN_FIRST + INTERVAL * i++;
     public static final int SWITCH_USER_FILTER          = FILTER_CHAIN_FIRST + INTERVAL * i++;
+
+    private static final Map filterNameToOrder = new LinkedHashMap();
+
+    static {
+        filterNameToOrder.put("FIRST", new Integer(FILTER_CHAIN_FIRST));
+        filterNameToOrder.put("CHANNEL_FILTER", new Integer(CHANNEL_FILTER));
+        filterNameToOrder.put("CONCURRENT_SESSION_FILTER", new Integer(CONCURRENT_SESSION_FILTER));
+        filterNameToOrder.put("SESSION_CONTEXT_INTEGRATION_FILTER", new Integer(HTTP_SESSION_CONTEXT_FILTER));
+        filterNameToOrder.put("LOGOUT_FILTER", new Integer(LOGOUT_FILTER));
+        filterNameToOrder.put("X509_FILTER", new Integer(X509_FILTER));
+        filterNameToOrder.put("PRE_AUTH_FILTER", new Integer(PRE_AUTH_FILTER));
+        filterNameToOrder.put("CAS_PROCESSING_FILTER", new Integer(CAS_PROCESSING_FILTER));
+        filterNameToOrder.put("AUTHENTICATION_PROCESSING_FILTER", new Integer(AUTHENTICATION_PROCESSING_FILTER));
+        filterNameToOrder.put("BASIC_PROCESSING_FILTER", new Integer(BASIC_PROCESSING_FILTER));
+        filterNameToOrder.put("SERVLET_API_SUPPORT_FILTER", new Integer(SERVLET_API_SUPPORT_FILTER));
+        filterNameToOrder.put("REMEMBER_ME_FILTER", new Integer(REMEMBER_ME_FILTER));
+        filterNameToOrder.put("ANONYMOUS_FILTER", new Integer(ANONYMOUS_FILTER));
+        filterNameToOrder.put("EXCEPTION_TRANSLATION_FILTER", new Integer(EXCEPTION_TRANSLATION_FILTER));
+        filterNameToOrder.put("NTLM_FILTER", new Integer(NTLM_FILTER));
+        filterNameToOrder.put("FILTER_SECURITY_INTERCEPTOR", new Integer(FILTER_SECURITY_INTERCEPTOR));
+        filterNameToOrder.put("SWITCH_USER_FILTER", new Integer(SWITCH_USER_FILTER));
+    }
+
+    /** Allows filters to be used by name in the XSD file without explicit reference to Java constants */
+    public static Integer getOrder(String filterName) {
+        Integer order = (Integer) filterNameToOrder.get(filterName);
+
+        Assert.notNull(order, "Unable to match filter name " + filterName);
+
+        return order;
+    }
 }

core/src/main/java/org/springframework/security/ui/SpringSecurityFilter.java

@@ -51,4 +51,8 @@ public abstract class SpringSecurityFilter implements Filter, Ordered {
     }
 
     protected abstract void doFilterHttp(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws IOException, ServletException;
+
+    public String toString() {
+        return getClass() + "[ order=" + getOrder() + "; ]";
+    }
 }

core/src/main/java/org/springframework/security/ui/webapp/AuthenticationProcessingFilter.java

@@ -154,7 +154,7 @@ public class AuthenticationProcessingFilter extends AbstractProcessingFilter {
     }
 
     public int getOrder() {
-        return FilterChainOrder.AUTH_PROCESSING_FILTER;
+        return FilterChainOrder.AUTHENTICATION_PROCESSING_FILTER;
     }
 
     String getUsernameParameter() {

core/src/main/java/org/springframework/security/wrapper/SecurityContextHolderAwareRequestFilter.java

@@ -92,6 +92,6 @@ public class SecurityContextHolderAwareRequestFilter extends SpringSecurityFilte
 	}
 
 	public int getOrder() {
-		return FilterChainOrder.SECURITY_CONTEXT_HOLDER_AWARE_FILTER;
+		return FilterChainOrder.SERVLET_API_SUPPORT_FILTER;
 	}
 }

core/src/main/resources/org/springframework/security/config/spring-security-2.0.rnc

@@ -267,9 +267,15 @@ jdbc-user-service.attlist &=
     
     
 user-filter =
-    ## Used to indicate that a filter bean declaration should be incorporated into the security filter chain. 
-    element user-filter {user-filter.attlist}
-user-filter.attlist &=
-    ## The order value for the chain (user to position the filter relative to the standard filters)   
-    attribute order {xsd:integer}?
+    ## Used to indicate that a filter bean declaration should be incorporated into the security filter chain. If neither the 'after' or 'before' options are supplied, then the filter must implement the Ordered interface directly. 
+    element user-filter {after | before}?
+after =
+    ## The filter immediately after which the user-filter should be placed in the chain. This feature will only be needed by advanced users who wish to mix their own filters into the security filter chain and have some knowledge of the standard Spring Security filters. The filter names map to specific Spring Security implementation filters. 
+    attribute after {"FIRST" | "CHANNEL_FILTER" | "CONCURRENT_SESSION_FILTER" | "SESSION_CONTEXT_INTEGRATION_FILTER" | "LOGOUT_FILTER" | "X509_FILTER" | "PRE_AUTH_FILTER" | "CAS_PROCESSING_FILTER" | "AUTHENTICATION_PROCESSING_FILTER" | "BASIC_PROCESSING_FILTER" | "SERVLET_API_SUPPORT_FILTER" | "REMEMBER_ME_FILTER" | "ANONYMOUS_FILTER" | "EXCEPTION_TRANSLATION_FILTER" | "NTLM_FILTER" | "FILTER_SECURITY_INTERCEPTOR" | "SWITCH_USER_FILTER"}
+before =
+    ## The filter immediately before which the user-filter should be placed in the chain
+    attribute before {"FIRST" | "CHANNEL_FILTER" | "CONCURRENT_SESSION_FILTER" | "SESSION_CONTEXT_INTEGRATION_FILTER" | "LOGOUT_FILTER" | "X509_FILTER" | "PRE_AUTH_FILTER" | "CAS_PROCESSING_FILTER" | "AUTHENTICATION_PROCESSING_FILTER" | "BASIC_PROCESSING_FILTER" | "SERVLET_API_SUPPORT_FILTER" | "REMEMBER_ME_FILTER" | "ANONYMOUS_FILTER" | "EXCEPTION_TRANSLATION_FILTER" | "NTLM_FILTER" | "FILTER_SECURITY_INTERCEPTOR" | "SWITCH_USER_FILTER"}
+
+    
+    
     

core/src/main/resources/org/springframework/security/config/spring-security-2.0.xsd

@@ -647,19 +647,124 @@
       </xs:annotation>
     </xs:attribute>
   </xs:attributeGroup>
+  <xs:group name="user-filter">
+    <xs:sequence>
+      <xs:element minOccurs="0" ref="security:user-filter"/>
+    </xs:sequence>
+  </xs:group>
   <xs:element name="user-filter">
     <xs:annotation>
-      <xs:documentation>Used to indicate that a filter bean declaration should be incorporated into the security filter chain. </xs:documentation>
+      <xs:documentation>Used to indicate that a filter bean declaration should be incorporated into the security filter chain. If neither the 'after' or 'before' options are supplied, then the filter must implement the Ordered interface directly. </xs:documentation>
     </xs:annotation>
     <xs:complexType>
-      <xs:attributeGroup ref="security:user-filter.attlist"/>
+      <xs:attribute name="after">
+        <xs:annotation>
+          <xs:documentation>The filter immediately after which the user-filter should be placed in the chain. This feature will only be needed by advanced users who wish to mix their own filters into the security filter chain and have some knowledge of the standard Spring Security filters. The filter names map to specific Spring Security implementation filters. </xs:documentation>
+        </xs:annotation>
+        <xs:simpleType>
+          <xs:restriction base="xs:token">
+            <xs:enumeration value="FIRST"/>
+            <xs:enumeration value="CHANNEL_FILTER"/>
+            <xs:enumeration value="CONCURRENT_SESSION_FILTER"/>
+            <xs:enumeration value="SESSION_CONTEXT_INTEGRATION_FILTER"/>
+            <xs:enumeration value="LOGOUT_FILTER"/>
+            <xs:enumeration value="X509_FILTER"/>
+            <xs:enumeration value="PRE_AUTH_FILTER"/>
+            <xs:enumeration value="CAS_PROCESSING_FILTER"/>
+            <xs:enumeration value="AUTHENTICATION_PROCESSING_FILTER"/>
+            <xs:enumeration value="BASIC_PROCESSING_FILTER"/>
+            <xs:enumeration value="SERVLET_API_SUPPORT_FILTER"/>
+            <xs:enumeration value="REMEMBER_ME_FILTER"/>
+            <xs:enumeration value="ANONYMOUS_FILTER"/>
+            <xs:enumeration value="EXCEPTION_TRANSLATION_FILTER"/>
+            <xs:enumeration value="NTLM_FILTER"/>
+            <xs:enumeration value="FILTER_SECURITY_INTERCEPTOR"/>
+            <xs:enumeration value="SWITCH_USER_FILTER"/>
+          </xs:restriction>
+        </xs:simpleType>
+      </xs:attribute>
+      <xs:attribute name="before">
+        <xs:annotation>
+          <xs:documentation>The filter immediately before which the user-filter should be placed in the chain</xs:documentation>
+        </xs:annotation>
+        <xs:simpleType>
+          <xs:restriction base="xs:token">
+            <xs:enumeration value="FIRST"/>
+            <xs:enumeration value="CHANNEL_FILTER"/>
+            <xs:enumeration value="CONCURRENT_SESSION_FILTER"/>
+            <xs:enumeration value="SESSION_CONTEXT_INTEGRATION_FILTER"/>
+            <xs:enumeration value="LOGOUT_FILTER"/>
+            <xs:enumeration value="X509_FILTER"/>
+            <xs:enumeration value="PRE_AUTH_FILTER"/>
+            <xs:enumeration value="CAS_PROCESSING_FILTER"/>
+            <xs:enumeration value="AUTHENTICATION_PROCESSING_FILTER"/>
+            <xs:enumeration value="BASIC_PROCESSING_FILTER"/>
+            <xs:enumeration value="SERVLET_API_SUPPORT_FILTER"/>
+            <xs:enumeration value="REMEMBER_ME_FILTER"/>
+            <xs:enumeration value="ANONYMOUS_FILTER"/>
+            <xs:enumeration value="EXCEPTION_TRANSLATION_FILTER"/>
+            <xs:enumeration value="NTLM_FILTER"/>
+            <xs:enumeration value="FILTER_SECURITY_INTERCEPTOR"/>
+            <xs:enumeration value="SWITCH_USER_FILTER"/>
+          </xs:restriction>
+        </xs:simpleType>
+      </xs:attribute>
     </xs:complexType>
   </xs:element>
-  <xs:attributeGroup name="user-filter.attlist">
-    <xs:attribute name="order" type="xs:integer">
+  <xs:attributeGroup name="after">
+    <xs:attribute name="after" use="required">
       <xs:annotation>
-        <xs:documentation>The order value for the chain (user to position the filter relative to the standard filters)   </xs:documentation>
+        <xs:documentation>The filter immediately after which the user-filter should be placed in the chain. This feature will only be needed by advanced users who wish to mix their own filters into the security filter chain and have some knowledge of the standard Spring Security filters. The filter names map to specific Spring Security implementation filters. </xs:documentation>
       </xs:annotation>
+      <xs:simpleType>
+        <xs:restriction base="xs:token">
+          <xs:enumeration value="FIRST"/>
+          <xs:enumeration value="CHANNEL_FILTER"/>
+          <xs:enumeration value="CONCURRENT_SESSION_FILTER"/>
+          <xs:enumeration value="SESSION_CONTEXT_INTEGRATION_FILTER"/>
+          <xs:enumeration value="LOGOUT_FILTER"/>
+          <xs:enumeration value="X509_FILTER"/>
+          <xs:enumeration value="PRE_AUTH_FILTER"/>
+          <xs:enumeration value="CAS_PROCESSING_FILTER"/>
+          <xs:enumeration value="AUTHENTICATION_PROCESSING_FILTER"/>
+          <xs:enumeration value="BASIC_PROCESSING_FILTER"/>
+          <xs:enumeration value="SERVLET_API_SUPPORT_FILTER"/>
+          <xs:enumeration value="REMEMBER_ME_FILTER"/>
+          <xs:enumeration value="ANONYMOUS_FILTER"/>
+          <xs:enumeration value="EXCEPTION_TRANSLATION_FILTER"/>
+          <xs:enumeration value="NTLM_FILTER"/>
+          <xs:enumeration value="FILTER_SECURITY_INTERCEPTOR"/>
+          <xs:enumeration value="SWITCH_USER_FILTER"/>
+        </xs:restriction>
+      </xs:simpleType>
+    </xs:attribute>
+  </xs:attributeGroup>
+  <xs:attributeGroup name="before">
+    <xs:attribute name="before" use="required">
+      <xs:annotation>
+        <xs:documentation>The filter immediately before which the user-filter should be placed in the chain</xs:documentation>
+      </xs:annotation>
+      <xs:simpleType>
+        <xs:restriction base="xs:token">
+          <xs:enumeration value="FIRST"/>
+          <xs:enumeration value="CHANNEL_FILTER"/>
+          <xs:enumeration value="CONCURRENT_SESSION_FILTER"/>
+          <xs:enumeration value="SESSION_CONTEXT_INTEGRATION_FILTER"/>
+          <xs:enumeration value="LOGOUT_FILTER"/>
+          <xs:enumeration value="X509_FILTER"/>
+          <xs:enumeration value="PRE_AUTH_FILTER"/>
+          <xs:enumeration value="CAS_PROCESSING_FILTER"/>
+          <xs:enumeration value="AUTHENTICATION_PROCESSING_FILTER"/>
+          <xs:enumeration value="BASIC_PROCESSING_FILTER"/>
+          <xs:enumeration value="SERVLET_API_SUPPORT_FILTER"/>
+          <xs:enumeration value="REMEMBER_ME_FILTER"/>
+          <xs:enumeration value="ANONYMOUS_FILTER"/>
+          <xs:enumeration value="EXCEPTION_TRANSLATION_FILTER"/>
+          <xs:enumeration value="NTLM_FILTER"/>
+          <xs:enumeration value="FILTER_SECURITY_INTERCEPTOR"/>
+          <xs:enumeration value="SWITCH_USER_FILTER"/>
+        </xs:restriction>
+      </xs:simpleType>
     </xs:attribute>
   </xs:attributeGroup>
 </xs:schema>

core/src/test/java/org/springframework/security/config/HttpSecurityBeanDefinitionParserTests.java

@@ -146,7 +146,7 @@ public class HttpSecurityBeanDefinitionParserTests {
         setContext(
                 "    <http auto-config='true'>" +
                 "        <intercept-url pattern='/**' access='ROLE_C' />" +
-                "        <intercept-url pattern='/secure*' method='DELETE' access='ROLE_SUPERVISOR' />" +                        
+                "        <intercept-url pattern='/secure*' method='DELETE' access='ROLE_SUPERVISOR' />" +
                 "        <intercept-url pattern='/secure*' method='POST' access='ROLE_A,ROLE_B' />" +
                 "    </http>" + AUTH_PROVIDER_XML);
 
@@ -199,14 +199,14 @@ public class HttpSecurityBeanDefinitionParserTests {
         setContext(
                 "<http auto-config='true'/>" + AUTH_PROVIDER_XML +
                 "<b:bean id='userFilter' class='org.springframework.security.util.MockFilter'>" +
-                "    <user-filter order='0'/>" +
+                "    <user-filter after='SESSION_CONTEXT_INTEGRATION_FILTER'/>" +
                 "</b:bean>" +
                 "<b:bean id='userFilter2' class='org.springframework.security.util.MockFilter'/>");
         List filters = getFilterChainProxy().getFilters("/someurl");
 
         assertEquals(11, filters.size());
-        assertTrue(filters.get(10) instanceof OrderedFilterBeanDefinitionDecorator.OrderedFilterDecorator);
-        assertEquals("userFilter", ((OrderedFilterBeanDefinitionDecorator.OrderedFilterDecorator)filters.get(10)).getBeanName());
+        assertTrue(filters.get(1) instanceof OrderedFilterBeanDefinitionDecorator.OrderedFilterDecorator);
+        assertEquals("userFilter", ((OrderedFilterBeanDefinitionDecorator.OrderedFilterDecorator)filters.get(1)).getBeanName());
     }
 
     @Test

core/src/test/java/org/springframework/security/providers/x509/X509TestUtils.java

@@ -68,8 +68,7 @@ public class X509TestUtils {
      *             [signature omitted]
      * </pre>
      */
-    public static X509Certificate buildTestCertificate()
-        throws Exception {
+    public static X509Certificate buildTestCertificate() throws Exception {
         String cert = "-----BEGIN CERTIFICATE-----\n"
             + "MIIEQTCCAymgAwIBAgIBATANBgkqhkiG9w0BAQUFADCBkzEaMBgGA1UEAxMRTW9u\n"
             + "a2V5IE1hY2hpbmUgQ0ExCzAJBgNVBAYTAlVLMREwDwYDVQQIEwhTY290bGFuZDEQ\n"