I'm new to Spring and I've created a very basic working application using Spring Security. I would like to implement a custom filter that is only utilized when a specific url is requested. I want Spring security to continue to handle the urls specified in the <intercept-url> tags by requiring authentication. From my research I believe the filter chain proxy should help me to accomplish my goal, however I'm experiencing a strange result after adding the following filter chain proxy to my spring-security.xml file:
When the above filter chain proxy code is added to my spring-security.xml file, it seems the core spring security filters are no longer filtering any of the urls in my <http> <intercept-url> tags. Here is my code:
For example, with the fitler chain proxy in place in the spring-security.xml, requests to /springapp/home no longer get filtered by Spring Security. Instead the home.jsp page is served up, bypassing any security. However, requests to sprignapp/both does hit my custom filter (preAuthFilter) as specified in the filter chain proxy, so I can see it is somewhat working.
But, when I remove the filter chain proxy, then Spring Security correctly intercepts the /springapp/home request and the default login page is served up.
I would like Spring Security to continue to intercept the urls I specifiy in the <intercept-url> tags (i.e. /springapp/home), and correctly using my custom preAuthFilter when the /springapp/both url is hit. Can anyone tell me what I may be doing wrong?
Ok so there are 2 different thing a here... Authentication and authorization. The security filter and authentication manager provide authentication. Their job is to make sure the user is whom s/he says s/he is and to load the list of roles that the user has access to. The interceptor provides authorization. The job of authorization is to make sure the user can access on,y the urls that s/he has access to based on the roles that s/he has. Think of authentication as the ticket checker at a theater.. And authorization as the usher
To make sure that security works, all requests have to pass through authentication and authorization both. Just like every movie goer has to go through the ticket checker and usher. Looks like here only both* is going through authentication and authorization. Home* is not going through authentication. That's why you have unautheticated access.
Thank you very much for taking the time to reply. So if I understand you correctly, because I added a filter chain proxy, it seems I now need to make sure all the endpoints I have in the <http><intercept-url> tags are also listed in my filter chain proxy? If my understanding is correct, how do I indicate the only the /both endpoint in my example, goes through my custom filter, while all other endpoints go through only the standard Spring authentication/authorization filters?