Expected Behavior

The documentation should clarify that when using HttpSecurity#addFilterBefore(), the specified filter will be executed before the target filter in the filter chain, and if the intention is to have the filter run after authentication filters, the documentation should recommend using HttpSecurity#addFilterAfter().

Current Behavior

Currently the documentation states this "By adding the filter before the AuthorizationFilter we are making sure that the TenantFilter is invoked after the authentication filters."
Reference: https://docs.spring.io/spring-security/reference/servlet/architecture.html#adding-custom-filter

Context

The misleading information in the documentation affects developers trying to implement security filters correctly. Many may end up placing filters in the wrong order, leading to tenant-specific logic being executed before authentication is completed.

Possible Fix

Update the documentation to:

• Use before instead of after in the statement "By adding the filter before the AuthorizationFilter we are making sure that the TenantFilter is invoked after the authentication filters."
• Clearly explain the purpose of addFilterBefore(), addFilterAfter(), and addFilterAt().
• Provide examples illustrating the correct usage of these methods in relation to authentication and authorization filters.