Menu
I'm using spring security and I have to use both filter-chain and namespace. Namespace works fine but it seems that the filter-chain doesn't!
Here is my configuration. First, namespace:
<sec:global-method-security secured-annotations="enabled" />
<sec:http pattern="/app/login.jsp*" security="none" />
<sec:http pattern="/admin/login.jsp*" security="none" />
<sec:http pattern="/app/*.png" security="none" />
<sec:http pattern="/admin/*.png" security="none" />
<sec:http pattern="/app/**" authentication-manager-ref="authenticationManager"
access-decision-manager-ref="accessDecisionManager">
<sec:intercept-url pattern="/app/**" access="ROLE_USER" />
<sec:access-denied-handler error-page="/app/login.jsp?aer=" />
<sec:form-login login-processing-url="/app/j_spring_security_check"
always-use-default-target="true" default-target-url="/app/index.html"
login-page='/app/login.jsp' authentication-failure-url='/app/login.jsp?login_error' />
<sec:logout logout-url="/app/j_spring_security_logout"
invalidate-session="true" logout-success-url="/app/login.jsp" />
</sec:http>
<sec:http pattern="/admin/**" authentication-manager-ref="authenticationManager"
access-decision-manager-ref="accessDecisionManager">
<sec:intercept-url pattern="/admin/**" access="ROLE_ADMIN" />
<sec:access-denied-handler error-page="/admin/login.jsp?aer=" />
<sec:form-login login-processing-url="/admin/j_spring_security_check"
always-use-default-target="true" default-target-url="/admin/index.html"
login-page='/admin/login.jsp' authentication-failure-url='/admin/login.jsp?login_error' />
<sec:logout logout-url="/admin/j_spring_security_logout"
invalidate-session="true" logout-success-url="/admin/login.jsp" />
</sec:http>
This works fine. But I also need to have a filter-chain to check other requests. (These requests are dynamically being created and we have to control them this way)
This is my filter-chain:
<bean id="springSecurityFilterChain" class="org.springframework.security.web.FilterChainProxy">
<security:filter-chain-map path-type="ant">
<sec:filter-chain pattern="/css/**" filters="none" />
<sec:filter-chain pattern="/common/**" filters="none" />
<sec:filter-chain pattern="/images/**" filters="none" />
<sec:filter-chain pattern="/login.jsp*" filters="none" />
<sec:filter-chain pattern="/rest/**"
filters="
ConcurrentSessionFilter,
securityContextPersistenceFilter,
logoutFilter,
authenticationProcessingFilter,
sessionManagementFilter,
exceptionTranslationFilter,
filterSecurityInterceptor" />
</security:filter-chain-map>
</bean>
The problem is, the filter-chain does not control anything. I'm sure that the filter-chain is working fine when namespaces are not used. But when I add namespaces, the problem begins.
Why? Can't I use that? or I can and I have to change something?
UPDATED:
This my debug log when calling this resource: /rest/asrv/gtallmmbrsofusrgrp
DEBUG AntPathRequestMatcher - Checking match of request : '/rest/asrv/gtallmmbrsofusrgrp'; against '/app/login.jsp*'
DEBUG AntPathRequestMatcher - Checking match of request : '/rest/asrv/gtallmmbrsofusrgrp'; against '/admin/login.jsp*'
DEBUG AntPathRequestMatcher - Checking match of request : '/rest/asrv/gtallmmbrsofusrgrp'; against '/app/*.png'
DEBUG AntPathRequestMatcher - Checking match of request : '/rest/asrv/gtallmmbrsofusrgrp'; against '/admin/*.png'
DEBUG AntPathRequestMatcher - Checking match of request : '/rest/asrv/gtallmmbrsofusrgrp'; against '/app/**'
DEBUG AntPathRequestMatcher - Checking match of request : '/rest/asrv/gtallmmbrsofusrgrp'; against '/admin/**'
DEBUG FilterChainProxy - /rest/asrv/gtallmmbrsofusrgrp has no matching filters
503
Spring Security maintains a filter chain internally where each of the filters has a particular responsibility and filters are added or removed from the configuration depending on which services are required. The ordering of the filters is important as there are dependencies between them.
In my earlier article We have seen Spring Security Java Configuration Annotation Example of Authentication and access control using @Secured, @PreAuthorize and JSR-250 @RolesAllowed annotations. As we know that Spring Security is a very powerful and highly customizable authentication and access-control framework.
DelegatingFilterProxy. The DelegatingFilterProxy is a filter which works as a bridge between Servlet container's life-cycle and Spring's Application Context. Servlet container does not have any information about the Spring's application context, but spring security needs security filters to execute the task..
React Full Stack Web Development With Spring Boot 67 Lectures 4.5 hours. More Detail. A filter is an object used to intercept the HTTP requests and responses of your application. By using filter, we can perform two operations at two instances − Before sending the request to the controller.
I think you are missing the DelegatingFilterProxy entry in your web.xml. But anyways,
As of Spring 3.1, the FilterChainProxy is configured using a list of SecurityFilterChain instances and FilterChainMap is deprecated. So try configuring it this way:
<bean id="filterChainProxy" class="org.springframework.security.web.FilterChainProxy">
<constructor-arg>
<list>
<sec:filter-chain pattern="/css/**" filters="none" />
<sec:filter-chain pattern="/common/**" filters="none" />
<sec:filter-chain pattern="/images/**" filters="none" />
<sec:filter-chain pattern="/login.jsp*" filters="none" />
<sec:filter-chain pattern="/rest/**"
filters="
ConcurrentSessionFilter,
securityContextPersistenceFilter,
logoutFilter,
authenticationProcessingFilter,
sessionManagementFilter,
exceptionTranslationFilter,
filterSecurityInterceptor" />
</list>
</constructor-arg>
</bean>
And add the filter to your web.xml like this:
<filter>
<filter-name>filterChainProxy</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>filterChainProxy</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
API Documentation
UPDATE 1:
To add logging to your application just put log4j jar on the path and add a log4j.properties file under your classpath.
Log4j.properties:
log4j.rootCategory=INFO, stdout
log4j.appender.stdout=org.apache.log4j.ConsoleAppender
log4j.appender.stdout.layout=org.apache.log4j.PatternLayout
log4j.appender.stdout.layout.ConversionPattern=%d{ISO8601} %-5p %c %M - %m\n
log4j.category.org.springframework.security=DEBUG
See also logging using Log4j
UPDATE 2: It seems to work for me, I have placed a test page welcome.xhtml in rest directory. The debug log is as follows:
2012-07-30 00:26:05,917 DEBUG org.springframework.security.web.util.AntPathRequestMatcher matches - Checking match of request : '/rest/welcome.xhtml'; against '/javax.faces.resource/**'
2012-07-30 00:26:05,923 DEBUG org.springframework.security.web.FilterChainProxy doFilter - /rest/welcome.xhtml at position 1 of 11 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2012-07-30 00:26:05,923 DEBUG org.springframework.security.web.context.HttpSessionSecurityContextRepository readSecurityContextFromSession - No HttpSession currently exists
2012-07-30 00:26:05,923 DEBUG org.springframework.security.web.context.HttpSessionSecurityContextRepository loadContext - No SecurityContext was available from the HttpSession: null. A new one will be created.
2012-07-30 00:26:05,925 DEBUG org.springframework.security.web.FilterChainProxy doFilter - /rest/welcome.xhtml at position 2 of 11 in additional filter chain; firing Filter: 'LogoutFilter'
2012-07-30 00:26:05,925 DEBUG org.springframework.security.web.FilterChainProxy doFilter - /rest/welcome.xhtml at position 3 of 11 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
2012-07-30 00:26:05,925 DEBUG org.springframework.security.web.FilterChainProxy doFilter - /rest/welcome.xhtml at position 4 of 11 in additional filter chain; firing Filter: 'BasicAuthenticationFilter'
2012-07-30 00:26:05,925 DEBUG org.springframework.security.web.FilterChainProxy doFilter - /rest/welcome.xhtml at position 5 of 11 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
2012-07-30 00:26:05,925 DEBUG org.springframework.security.web.FilterChainProxy doFilter - /rest/welcome.xhtml at position 6 of 11 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
2012-07-30 00:26:05,926 DEBUG org.springframework.security.web.FilterChainProxy doFilter - /rest/welcome.xhtml at position 7 of 11 in additional filter chain; firing Filter: 'RememberMeAuthenticationFilter'
2012-07-30 00:26:05,926 DEBUG org.springframework.security.web.FilterChainProxy doFilter - /rest/welcome.xhtml at position 8 of 11 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
2012-07-30 00:26:05,928 DEBUG org.springframework.security.web.authentication.AnonymousAuthenticationFilter doFilter - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@9055c2bc: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS'
2012-07-30 00:26:05,928 DEBUG org.springframework.security.web.FilterChainProxy doFilter - /rest/welcome.xhtml at position 9 of 11 in additional filter chain; firing Filter: 'SessionManagementFilter'
2012-07-30 00:26:05,929 DEBUG org.springframework.security.web.session.SessionManagementFilter doFilter - Requested session IDD44EAA53A767F3DC9C7338D3CD335198 is invalid.
2012-07-30 00:26:05,929 DEBUG org.springframework.security.web.FilterChainProxy doFilter - /rest/welcome.xhtml at position 10 of 11 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
2012-07-30 00:26:05,929 DEBUG org.springframework.security.web.FilterChainProxy doFilter - /rest/welcome.xhtml at position 11 of 11 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
2012-07-30 00:26:05,929 DEBUG org.springframework.security.web.util.AntPathRequestMatcher matches - Checking match of request : '/rest/welcome.xhtml'; against '/login.xhtml'
2012-07-30 00:26:05,929 DEBUG org.springframework.security.web.util.AntPathRequestMatcher matches - Checking match of request : '/rest/welcome.xhtml'; against '/*'
2012-07-30 00:26:05,929 DEBUG org.springframework.security.web.util.AntPathRequestMatcher matches - Checking match of request : '/rest/welcome.xhtml'; against '/admin/**'
2012-07-30 00:26:05,930 DEBUG org.springframework.security.web.access.intercept.FilterSecurityInterceptor beforeInvocation - Public object - authentication not attempted
2012-07-30 00:26:05,932 DEBUG org.springframework.security.web.FilterChainProxy doFilter - /rest/welcome.xhtml reached end of additional filter chain; proceeding with original chain
2012-07-30 00:26:06,229 DEBUG org.springframework.security.web.access.ExceptionTranslationFilter doFilter - Chain processed normally
I think it is the two form logins that you have is causing problems. Try to have only one login form and control the navigation after that based on the role. See this question for example: Can i use one Login page to redirect different page with Spring 3.0 Security..?
173
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
