Search code examples
javasecurityjakarta-eejax-rsdeltaspike

Change order of executing CDI Interceprors and ContainerRequestFilter


I am using Deltaspike SecurityInterceptor to authorize methods with @LoggedIn annotation.

At the same time I am authenticating user with token at ContainerRequestFilter.

@Inject
AuthenticationService authenticationService;

@Override
public void filter(ContainerRequestContext requestContext) throws IOException {
    String authToken = requestContext.getHeaderString(AUTH_TOKEN);

    try {
        authenticationService.authenticateWithToken(authToken);
    } catch (LoginException e) {
        log.info(e.getMessage());
    }
}

I have faced the problem that container firstly executes SecurityInterceptor and then ContainerRequestFilter and user gets not authenticated.

Is there any way to change the execution order?

My beans.xml:

<beans xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
   xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/beans_1_0.xsd">
<interceptors>
    <class>org.apache.deltaspike.security.impl.extension.SecurityInterceptor</class>
</interceptors>


Solution

  • From javaee7 documentation:

    If an application uses more than one interceptor, the interceptors are invoked in the order specified in the beans.xml file.

    But interceptors and filters doesn't has any execution correlation, filters act on web request, interceptors are CDI objects, i think that any runtime execution dependency is a design error.

    Where is the interceptor annotation? Which class?