Description
DPoP filter is implemented as a an AuthenticationConverter applied to an AuthenticationFilter. AuthenticationFilter extends OncePerRequestFilter, which means that only the first filter of that type actually do its filtering. An attribute then is added to the request that prevents additional filters of the same type to do anything other than proceeding to the next filter.
In my experience, AuthenticationFilter plus AuthenticationConverter is the easiest way to create a custom filter, therefore I believe it to be very commonly used. Depending on the configuration, either DPoP or the custom filter is completely disabled, based on the filter ordering.
Sample application with oauth2 resource server + custom API key: https://github.com/gbaso/oauth2-api-server