Geek Answers Handbook

Spring security core and filterChain chainMap problem

Here is my problem: I don't want to use any of the spring security kernel filters when the user uses the API (basically all / myapi / ** request) to avoid creating a useless session. Api is based on the oauth icon.

So, I use the spring-security-core plugin to authenticate the user, and I added Config.groovy to my file

grails.plugins.springsecurity.filterChain.chainMap = [ '/myapi/**': 'JOINED_FILTERS,-securityContextPersistenceFilter,-logoutFilter,-authenticationProcessingFilter,-securityContextHolderAwareRequestFilter,-rememberMeAuthenticationFilter,-anonymousAuthenticationFilter,-exceptionTranslationFilter', '/**':'JOINED_FILTERS' ]

Basically, from what I understood, it should not go through any spring security filter for all / myapi / something, but, in fact, it goes through all filters as it creates a session (I do not have everything for the session in / myapi / something.

But according to http://grails-plugins.github.com/grails-spring-security-core/docs/manual/guide/16%20Filters.html

So, you need the / ** catch-all rule at the end for URLs that don't match one of the earlier rules.

And that’s why I don’t understand why the request still goes through all the filters for any / myapi / something.

Some tests I have done can help:

It does not create a session if I only have in my Config.groovy:

 grails.plugins.springsecurity.filterChain.chainMap = [ '/myapi/**': 'JOINED_FILTERS,-securityContextPersistenceFilter,-logoutFilter,-authenticationProcessingFilter,-securityContextHolderAwareRequestFilter,-rememberMeAuthenticationFilter,-anonymousAuthenticationFilter,-exceptionTranslationFilter' ]

But it also does not create a session for other URLs without using any other filter, which makes the application work not normally. This example was just to make sure that the session was not created using the / myapi / something query

If I only have:

 grails.plugins.springsecurity.filterChain.chainMap = [ '/myapi/**': 'JOINED_FILTERS' ]

Then it goes through all the filters for all / myapi / something request and creates a session. It does not use a filter for another request. This is an excluded behavior.

Thanks so much for your help, I struggled with this several times now, and any ideas would be more than welcome!

Thanks a lot! Have a good day.

+4
source share
1 answer

Yes, I suffer from the same problem! Although I do not use JOINED_FILTER, I set the filter explicitly as follows:

 grails.plugins.springsecurity.filterChain.chainMap = [ '/apitest/**': 'requestContextAttributesFilter,sessionPreventionFilter,objectRepositoryCreationFilter', '/api/**': 'requestContextAttributesFilter,sessionPreventionFilter,objectRepositoryCreationFilter,apiAuthenticationFilter', '/**': 'requestContextAttributesFilter,securityContextPersistenceFilter,aisAuthenticationProcessingFilter' ]

The last catch-all rule filter is executed when I get the URL '/ apitest / *'. I could not reproduce this problem when I created a simple Grails project with several dummy filters in which there was only println and a similar chain card. For a simple test project, the filters worked properly. Since there seems to be no proper logging when the filter starts and why, it is quite difficult to identify the problem. Very strange...

UPDATE:

I was able to reproduce this error using the Spring Security Core plugin version 1.2.7.2. However, this error seems to be fixed with version 1.2.7.3!

See: http://jira.grails.org/secure/ReleaseNote.jspa?projectId=10229&version=13100

Using version 1.2.7.3 seems to solve this problem.

+4
source

More articles:


All Articles