From c3fa78b4bd0175a1419be4174275c3b8326b7736 Mon Sep 17 00:00:00 2001
From: Ronald Ekambi <ronekambi@gmail.com>
Date: Wed, 5 Jul 2023 15:44:53 -0400
Subject: [PATCH] apply jwt auth filters before rbacfilters

---
 agent/xds/listeners.go | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/agent/xds/listeners.go b/agent/xds/listeners.go
index 4278c3a8b6cc4..6e67cd1c564e2 100644
--- a/agent/xds/listeners.go
+++ b/agent/xds/listeners.go
@@ -1381,12 +1381,11 @@ func (s *ResourceGenerator) makeInboundListener(cfgSnap *proxycfg.ConfigSnapshot
 		if err != nil {
 			return nil, err
 		}
-
-		filterOpts.httpAuthzFilters = []*envoy_http_v3.HttpFilter{rbacFilter}
-
+		filterOpts.httpAuthzFilters = []*envoy_http_v3.HttpFilter{}
 		if jwtFilter != nil {
 			filterOpts.httpAuthzFilters = append(filterOpts.httpAuthzFilters, jwtFilter)
 		}
+		filterOpts.httpAuthzFilters = append(filterOpts.httpAuthzFilters, rbacFilter)
 
 		meshConfig := cfgSnap.MeshConfig()
 		includeXFCC := meshConfig == nil || meshConfig.HTTP == nil || !meshConfig.HTTP.SanitizeXForwardedClientCert