• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Paul Clapham
  • Ron McLeod
  • Jeanne Boyarsky
  • Tim Cooke
Sheriffs:
  • Liutauras Vilda
  • paul wheaton
  • Henry Wong
Saloon Keepers:
  • Tim Moores
  • Tim Holloway
  • Stephan van Hulst
  • Carey Brown
  • Frits Walraven
Bartenders:
  • Piet Souris
  • Himai Minh

Spring Security Filter Chain Proxy help

 
Greenhorn
Posts: 7
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I'm new to Spring and I've created a very basic working application using Spring Security. I would like to implement a custom filter that is only utilized when a specific url is requested. I want Spring security to continue to handle the urls specified in the <intercept-url> tags by requiring authentication. From my research I believe the filter chain proxy should help me to accomplish my goal, however I'm experiencing a strange result after adding the following filter chain proxy to my spring-security.xml file:



When the above filter chain proxy code is added to my spring-security.xml file, it seems the core spring security filters are no longer filtering any of the urls in my <http> <intercept-url> tags. Here is my code:

web.xml


springapp-servlet.xml


spring-security.xml


For example, with the fitler chain proxy in place in the spring-security.xml, requests to /springapp/home no longer get filtered by Spring Security. Instead the home.jsp page is served up, bypassing any security. However, requests to sprignapp/both does hit my custom filter (preAuthFilter) as specified in the filter chain proxy, so I can see it is somewhat working.

But, when I remove the filter chain proxy, then Spring Security correctly intercepts the /springapp/home request and the default login page is served up.

I would like Spring Security to continue to intercept the urls I specifiy in the <intercept-url> tags (i.e. /springapp/home), and correctly using my custom preAuthFilter when the /springapp/both url is hit. Can anyone tell me what I may be doing wrong?

Thanks . . . Matt
 
Rancher
Posts: 2759
32
Eclipse IDE Spring Tomcat Server
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Ok so there are 2 different thing a here... Authentication and authorization. The security filter and authentication manager provide authentication. Their job is to make sure the user is whom s/he says s/he is and to load the list of roles that the user has access to. The interceptor provides authorization. The job of authorization is to make sure the user can access on,y the urls that s/he has access to based on the roles that s/he has. Think of authentication as the ticket checker at a theater.. And authorization as the usher


To make sure that security works, all requests have to pass through authentication and authorization both. Just like every movie goer has to go through the ticket checker and usher. Looks like here only both* is going through authentication and authorization. Home* is not going through authentication. That's why you have unautheticated access.
 
Matt Williard
Greenhorn
Posts: 7
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thank you very much for taking the time to reply. So if I understand you correctly, because I added a filter chain proxy, it seems I now need to make sure all the endpoints I have in the <http><intercept-url> tags are also listed in my filter chain proxy? If my understanding is correct, how do I indicate the only the /both endpoint in my example, goes through my custom filter, while all other endpoints go through only the standard Spring authentication/authorization filters?
 
Jayesh A Lalwani
Rancher
Posts: 2759
32
Eclipse IDE Spring Tomcat Server
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I believe you can add multiple chains to the chain map. I haven't done it myself, but the spring docs seem to indicate that it's possible
 
She's brilliant. She can see what can be and is not limited to what is. And she knows this tiny ad:
Free, earth friendly heat - from the CodeRanch trailboss
https://www.kickstarter.com/projects/paulwheaton/free-heat
reply
    Bookmark Topic Watch Topic
  • New Topic