Expected Behavior

Nowadays, it is popular that request from application, like webhook, is authenticated with signature calculated over body content. For example https://developers.fireblocks.com/reference/webhooks-gettingstarted-validatingevents

Fireblocks-Signature: Base64(RSA512(WEBHOOK_PRIVATE_KEY, SHA512(body)))

It is reasonable because protects body against tamper.

Unfortunately, it is a challenge to agree it with Spring Security, because to verify signature request body must be consumed. As Spring Security Filter Chain is before controller, if filter consumes body, controller get no body.

Current Behavior

It should documented or supported how to manage body signature.

Context

It is not clear to me what is recommended:

1. Controller may self check signature, but it breaks Spring Security architecture
2. Security filter may read request content and pass down new, artificial request. But this approach is unusual and I'm afraid side effects. For example Servlet specification declares jakarta.servlet.ReadListener - it is not clear what should happen when input is logically read 2 times - first by servlet, second by controller.

I decided to raise the issue as Enhancement category, because if option 2) is recommended, I think that Spring Security should offer something like ContentCachingRequestWrapper, but working before controller (the wrapper works only after controller)