GenericFilterBean.init() throws NPE when filter is @Component with injected dependencies

[tizibienvenus]

Summary

When a filter extends GenericFilterBean or OncePerRequestFilter and is annotated with @Component (or created as a @Bean with constructor injection), the init() method throws a NullPointerException because this.logger is null.

Expected Behavior

The filter should initialize correctly when used as a Spring bean with dependency injection. The logger should be properly initialized before any method tries to use it.

Actual Behavior

java.lang.NullPointerException: Cannot invoke "org.apache.commons.logging.Log.isDebugEnabled()" because "this.logger" is null
	at org.springframework.web.filter.GenericFilterBean.init(GenericFilterBean.java:235) ~[spring-web-7.0.1.jar:7.0.1]
	at org.apache.catalina.core.ApplicationFilterConfig.initFilter(ApplicationFilterConfig.java:236) ~[tomcat-embed-core-11.0.14.jar:11.0.14]
	// ... full stack trace

Steps to Reproduce

1. Create a filter extending OncePerRequestFilter or GenericFilterBean with constructor injection
2. Annotate it with @Component and use @RequiredArgsConstructor or @Autowired constructor
3. Inject the filter into Spring Security configuration via addFilterBefore()
4. Start the Spring Boot application

Root Cause Analysis

The issue occurs because:

1. When @Component is used with constructor injection, Spring creates a proxy
2. The GenericFilterBean.init() method is marked as final
3. When the proxy tries to call super.init(), the logger field hasn't been initialized yet
4. The logger field in GenericFilterBean is transient and may not be properly initialized in proxy scenarios

Environment

• Spring Boot Version: 4.0.0
• Spring Framework Version: 7.0.1
• Java Version: 21.0.9
• Servlet API: Jakarta Servlet 6.0
• Tomcat Version: 11.0.14
• Build Tool: Maven 3.9+
• Operating System: Linux/Windows/macOS (all affected)

Additional Context

This bug particularly affects:

• JWT authentication filters (very common use case)
• Logging filters
• Security filters integrated with Spring Security
• Any filter using modern Spring practices (constructor injection, @Component)

The error message in logs also shows a warning about CGLIB proxies:

Unable to proxy interface-implementing method [public final void org.springframework.web.filter.GenericFilterBean.init(jakarta.servlet.FilterConfig) throws jakarta.servlet.ServletException] because it is marked as final, consider using interface-based JDK proxies instead.

This suggests the framework is aware of the proxying issue but the NPE still occurs.

[snicoll]

Thanks for the report, but please move all that code in an actual sample we can run ourselves. This makes no sense for us to replicate all those steps manually while you've the complete project on your side already. Ideally, edit your description to add a link to the project and remove all that code so that we can focus on the actual issue.

[sbrannen]

This appears to be effectively a duplicate of #35198; however, that issue was closed in 6.2.9.

[snicoll]

@tizibienvenus can you please attach the sample project based on the code you've removed? You can either attach a zip here or push the code to a GitHub repository.

[tizibienvenus]

Okay. Just a moment, I'll make the GitHub repository public.

[tizibienvenus]

@tizibienvenus can you please attach the sample project based on the code you've removed? You can either attach a zip here or push the code to a GitHub repository.

https://github.com/devtizi/city-cab