Will the Guru

Any Servlet or Filter beans are registered with the servlet container automatically. 

https://docs.spring.io/spring-boot/docs/current/reference/htmlsingle/#howto.webserver.add-servlet-filter-listener.spring-bean

As mentioned from the above Spring document, registering Servlet or Filter as a bean automatically makes those filters to be applied from the servlet container. In other words, the filters that are registered as beans will automatically be called from Spring Boot.

For example,

Just as Figure 1, if we add the /hello path to be excluded from the requestMatcher, the path would bypass the filters.

However, if we add make the filter as a Bean, the filter itself will be triggered from the servlet container.

Like seen from the Figure 3, we can check the registered filter bean is included in the FilterChainProxy‘s chain that triggers the doFilter() to be called from MyCustomFilter class.

If that so, what should we do in circumstances where we need that filter to be declared as a bean but don’t want that to be executed from the spring security?
The answer is to use FilterRegistrationBean.

Use FilterRegistrationBean to bypass filter registration

Declaring a FilterRegistrationBean of the specific filter and disabling it from registration would make the requests to bypass that filter.

Reference

• https://stackoverflow.com/questions/39314176/filter-invoke-twice-when-register-as-spring-bean
• https://github.com/spring-projects/spring-boot/issues/6902
• https://docs.spring.io/spring-boot/docs/current/reference/htmlsingle/#howto.webserver.add-servlet-filter-listener.spring-bean.disable