Ability to use AbstractAuthenticationFilterConfigurer for custom filters

[OrangeDog]

Expected Behavior

A new custom auth processor can be added by implementing AbstractAuthenticationFilterConfigurer and AbstractAuthenticationProcessingFilter.

Current Behavior

Trying to do this fails, as AbstractAuthenticationFilterConfigurer calls http.addFilter() at the end of its quite long configure() method, which fails on any non-builtin filter.

Context

Specifically I was adding a system to force a password change if credentials are expired.
After the CredentialsExpiredException is handled, there is another POST request with the new password, which should go through all the same "authentication success" steps when it completes. The way to do this appears to be to implement an AbstractAuthenticationProcessingFilter, but to ensure it's configured correctly you need to either copy-paste a lot of AbstractAuthenticationFilterConfigurer, or do this:

@Override
public void configure(HttpSecurity http) {
    try {
        super.configure(http);
    } catch (IllegalArgumentException ex) {
        http.addFilterAfter(getAuthenticationFilter(), UsernamePasswordAuthenticationFilter.class);
    }
}

Some way to define the order of a custom filter (e.g. another protected method in AbstractAuthenticationFilterConfigurer) would fix this.

[OrangeDog]

Another way to hack around it is to instead extend UsernamePasswordAuthenticationFilter, assuming you're going to override attemptAuthentication anyway.

Subclasses of the builtin filters are successfully inserted in the same position as their superclass without having to specify.

[therepanic]

Thanks for the report, James @OrangeDog. Unless we are overlooking something, I think the best approach is to create a hook so it can be overridden in a subclass. If the team is open to this option, I have opened a minimalistic PR with this change: #19320