Validation with Spring Security
I'm using swagger request validator with spring security in my Sprint Boot 2.1.3 application.
It seems that the OpenApiValidationInterceptor waits for a ResettableRequestServletWrapper but since the goes through the security layer, it only have a SecurityContextHolderAwareRequestWrapper
How can I make it work?
Comments (5)
-
-
The general issue here is that the OpenApiValidationFilter needs to run last; otherwise there is a risk that by the time the OpenApiValidationInterceptor gets a chance to run, the ResettableRequestServletWrapper has been wrapped in something else (need to rewrite parameters? need to stash the request body somewhere? can’t do it except by wrapping the servlet request), and validation gets disabled.
But it also needs to run before any filter that could rewrite the parameter names, otherwise it is not validating the correct parameters. I need such a filter, for reasons beyond my control, and it is of course wrapping its input servlet request.
What can I do?
-
@Fabrice Gabolde @Fabrice Gabolde I see a possibility to achieve that.
Add the
OpenApiValidationFilter
with the right@Order
annotation so the filters will be called in the correct order.Than create a new class
WrappedOpenApiValidationInterceptor
there you extend the defaultOpenApiValidationInterceptor
.
In thepreHandle
method - if you encounter one of your wrapped request classes - unwrap the wrappedResettableRequestServletWrapper
and call the originalOpenApiValidationInterceptor
preHandle
method. -
I am resolving this issue due to inactivity. Please feel free to re-open if Sven’s suggestion does not fix the issue.
-
- changed status to resolved
- Log in to comment
You could register the validation filter before Spring's security filter.