Spring, CORS, and j_spring_security_logout

Question

I need to use CORS with Spring Security. I've succeeded in getting login and basic security working, using a OncePerRequestFilter that is configured in app-beans.xml as follows:

<bean id="corsAwareAuthenticationFilter"class="org.broadinstitute.portal.servlet.CorsAwareAuthenticationFilter"/>
<security:http use-expressions="true">
  <security:custom-filter ref="corsAwareAuthenticationFilter" after="PRE_AUTH_FILTER"/>
...

I basically followed the approach in this question: Cross-Origin Resource Sharing with Spring Security

My configuration for logout in app-beans.xml is simply:

    <security:logout delete-cookies="JSESSIONID"/>

This works fine without CORS.

My problem is logging out. CORS is stopping access to j_spring_security_logout. Any idea why my OncePerRequestFilter is being called when logging in, but not when logging out?

Edited to add:

Thanks to alain.janinm, I solved the problem. I needed to set my filter to be called before the LOGOUT_FILTER. The following configuration addition solved the problem:

    <security:custom-filter ref="corsAwareAuthenticationFilter" before="LOGOUT_FILTER"/>

Note, using position="LOGOUT_FILTER" didn't work, as that put my filter in the same position as the Spring LOGOUT_FILTER. My filter doesn't do the same thing as the LOGOUT_FILTER -- all mine does is to add the CORS headers. So I actually need the Spring LOGOUT_FILTER to still be called.

Answer 1

Thanks to alain.janinm, I solved the problem. I needed to set my filter to be called before the LOGOUT_FILTER. The following configuration addition solved the problem:

<security:custom-filter ref="corsAwareAuthenticationFilter" before="LOGOUT_FILTER"/>

Note, using position="LOGOUT_FILTER" didn't work, as that put my filter in the same position as the Spring LOGOUT_FILTER. My filter doesn't do the same thing as the LOGOUT_FILTER -- all mine does is to add the CORS headers. So I actually need the Spring LOGOUT_FILTER to still be called.