Geek Answers Handbook

Spring FilterChainProxy with filterSecurityInterceptor not working correctly?

I have a spring application with configuration files as shown below. All the configs seem to be correct, but during debugging, I found that during initialization, spring creates two beans for FilterSecurityInterceptor without interception rules-url, and the other with the rules I specified. When a request arrives, it uses a FilterSecurityInterceptor bean with no url-capture rules. Therefore, I see the following log:

DEBUG FilterSecurityInterceptor:183 - Public object - authentication not attempted

But the request URL falls under the intercept URL rule. I debugged and found that this was due to the fact that the bean used did not have interception rules in httpMethodMap from DefaultFilterInvocationSecurityMetadataSource . I'm not sure what is wrong here.

Below is applicationContext-security.xml :

 <beans xmlns="http://www.springframework.org/schema/beans" xmlns:security="http://www.springframework.org/schema/security" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.2.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd" default-init-method="init"> <security:authentication-manager alias="authenticationManager"> <security:authentication-provider user-service-ref="userDetailService"> </security:authentication-provider> </security:authentication-manager> <alias name="filterChainProxy" alias="springSecurityFilterChain" /> <bean id="accessDecisionManager" class="org.springframework.security.access.vote.AffirmativeBased"> <property name="decisionVoters"> <list> <bean class="org.springframework.security.access.vote.RoleVoter" /> <bean class="org.springframework.security.access.vote.AuthenticatedVoter" /> </list> </property> </bean> <bean id="consoleAuthenticationSuccessHandler" class="custom_class"> <property name="defaultTargetUrl" value="/loginSuccess.htm" /> <property name="targetUrlParameter" value="targetURL" /> </bean> <bean id="consoleAuthenticationFailureHandler" class="custom_class"> <property name="loginFailureUrl" value="/loginFailure.htm" /> </bean> <bean id="consoleLogoutSuccessHandler" class="custom_class"> <property name="logoutUrl" value="/loggedout.htm" /> </bean> <bean id="userDetailService" class="custom_class"> </bean> <security:http auto-config="true" security-context-repository-ref="securityContextRepository"> <security:form-login authentication-failure-url="/loginFailure.htm" default-target-url="/loginSuccess.htm" authentication-success-handler-ref="consoleAuthenticationSuccessHandler" /> <security:logout success-handler-ref="consoleLogoutSuccessHandler" /> <security:anonymous enabled="false" /> <security:session-management session-fixation-protection="none" /> </security:http> <bean id="filterChainProxy" class="org.springframework.security.web.FilterChainProxy"> <security:filter-chain-map path-type="ant"> <security:filter-chain pattern="/login.htm*" filters="none" /> <security:filter-chain pattern="/**" filters="securityContextFilter, logoutFilter, formLoginFilter, servletApiFilter, exceptionTranslator, filterSecurityInterceptor" /> </security:filter-chain-map> </bean> <bean id="securityContextRepository" class="org.springframework.security.web.context.HttpSessionSecurityContextRepository" /> <bean id="securityContextFilter" class="org.springframework.security.web.context.SecurityContextPersistenceFilter"> <property name="securityContextRepository" ref="securityContextRepository" /> </bean> <bean id="logoutFilter" class="org.springframework.security.web.authentication.logout.LogoutFilter"> <constructor-arg ref="consoleLogoutSuccessHandler" index="0" type="org.springframework.security.web.authentication.logout.LogoutSuccessHandler" /> <constructor-arg> <list> <bean class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler" /> </list> </constructor-arg> </bean> <bean id="servletApiFilter" class="org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter" /> <bean id="exceptionTranslator" class="org.springframework.security.web.access.ExceptionTranslationFilter"> <property name="authenticationEntryPoint"> <bean class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint"> <property name="loginFormUrl" value="/login.jsp" /> </bean> </property> </bean> <bean id="formLoginFilter" class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter"> <property name="authenticationManager" ref="authenticationManager" /> <property name="authenticationSuccessHandler" ref="consoleAuthenticationSuccessHandler" /> <property name="authenticationFailureHandler" ref="consoleAuthenticationFailureHandler" /> </bean> <bean id="filterSecurityInterceptor" class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor"> <property name="securityMetadataSource"> <security:filter-security-metadata-source> <security:intercept-url pattern="/login.htm*" access="ROLE_ANONYMOUS" /> <security:intercept-url pattern="/**" access="ROLE_USER,ROLE_ADMIN" /> </security:filter-security-metadata-source> </property> <property name="accessDecisionManager" ref="accessDecisionManager" /> <property name="authenticationManager" ref="authenticationManager" /> </bean> </beans>

Appreciate any help here.

+7
java spring spring-mvc spring-security
source share
1 answer

You have a <security:http> element in the configuration. From the documentation:

38.1.2 <http>
Each <http> namespace block always creates a SecurityContextPersistenceFilter , ExceptionTranslationFilter and FilterSecurityInterceptor . They are fixed and cannot be replaced by alternatives.

So your <bean id="filterSecurityInterceptor"> ignored. Instead

 <bean id="filterSecurityInterceptor" class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor"> <property name="securityMetadataSource"> <security:filter-security-metadata-source> <security:intercept-url pattern="/login.htm*" access="ROLE_ANONYMOUS" /> <security:intercept-url pattern="/**" access="ROLE_USER,ROLE_ADMIN" /> </security:filter-security-metadata-source> </property> <property name="accessDecisionManager" ref="accessDecisionManager" /> <property name="authenticationManager" ref="authenticationManager" /> </bean>

you should change <security:http> to include something like

 <security:http ... authentication-manager-ref="authenticationManager"> ... <security:intercept-url pattern="/login.htm*" access="ROLE_ANONYMOUS" /> <security:intercept-url pattern="/**" access="ROLE_USER,ROLE_ADMIN" /> </security:http>

You do not need <bean id="accessDecisionManager"> because (quote from docs ) the default AffirmativeBased implementation is used with RoleVoter and AuthenticatedVoter ", which is what you define.

Your <bean id="securityContextFilter"> also ignored, instead you should add the security-context-repository-ref="securityContextRepository" attribute to the http element.
And your <bean id="exceptionTranslator"> ignored, I'm not sure how to replace it correctly.

And you manually define a lot of org.springframework.security beans. I suspect that most of them are either not needed (defined by default) or should be defined using specialized elements of the security: namespace security: instead of raw spring bean s.

+6
source share

More articles:


All Articles