Spring Security - Can I use both namespace and filter-chain?

6
votes

I'm using spring security and I have to use both filter-chain and namespace. Namespace works fine but it seems that the filter-chain doesn't!
Here is my configuration. First, namespace:

<sec:global-method-security secured-annotations="enabled" />

<sec:http pattern="/app/login.jsp*" security="none" />
<sec:http pattern="/admin/login.jsp*" security="none" />
<sec:http pattern="/app/*.png" security="none" />
<sec:http pattern="/admin/*.png" security="none" />
<sec:http pattern="/app/**" authentication-manager-ref="authenticationManager"
    access-decision-manager-ref="accessDecisionManager">
    <sec:intercept-url pattern="/app/**" access="ROLE_USER" />
    <sec:access-denied-handler error-page="/app/login.jsp?aer=" />
    <sec:form-login login-processing-url="/app/j_spring_security_check"
        always-use-default-target="true" default-target-url="/app/index.html"
        login-page='/app/login.jsp' authentication-failure-url='/app/login.jsp?login_error' />
    <sec:logout logout-url="/app/j_spring_security_logout"
        invalidate-session="true" logout-success-url="/app/login.jsp" />
</sec:http>
<sec:http pattern="/admin/**" authentication-manager-ref="authenticationManager"
    access-decision-manager-ref="accessDecisionManager">
    <sec:intercept-url pattern="/admin/**" access="ROLE_ADMIN" />
    <sec:access-denied-handler error-page="/admin/login.jsp?aer=" />
    <sec:form-login login-processing-url="/admin/j_spring_security_check"
        always-use-default-target="true" default-target-url="/admin/index.html"
        login-page='/admin/login.jsp' authentication-failure-url='/admin/login.jsp?login_error' />
    <sec:logout logout-url="/admin/j_spring_security_logout"
        invalidate-session="true" logout-success-url="/admin/login.jsp" />
</sec:http>


This works fine. But I also need to have a filter-chain to check other requests. (These requests are dynamically being created and we have to control them this way)
This is my filter-chain:

<bean id="springSecurityFilterChain" class="org.springframework.security.web.FilterChainProxy">
    <security:filter-chain-map path-type="ant">

    <sec:filter-chain pattern="/css/**" filters="none" />
    <sec:filter-chain pattern="/common/**" filters="none" />
    <sec:filter-chain pattern="/images/**" filters="none" />
    <sec:filter-chain pattern="/login.jsp*" filters="none" />
    <sec:filter-chain pattern="/rest/**"
        filters="
        ConcurrentSessionFilter,
        securityContextPersistenceFilter,
        logoutFilter,
        authenticationProcessingFilter,
        sessionManagementFilter,
        exceptionTranslationFilter,
        filterSecurityInterceptor" />

    </security:filter-chain-map> 
</bean>


The problem is, the filter-chain does not control anything. I'm sure that the filter-chain is working fine when namespaces are not used. But when I add namespaces, the problem begins.
Why? Can't I use that? or I can and I have to change something?

UPDATED:
This my debug log when calling this resource: /rest/asrv/gtallmmbrsofusrgrp

DEBUG AntPathRequestMatcher           - Checking match of request : '/rest/asrv/gtallmmbrsofusrgrp'; against '/app/login.jsp*'
DEBUG AntPathRequestMatcher           - Checking match of request : '/rest/asrv/gtallmmbrsofusrgrp'; against '/admin/login.jsp*'
DEBUG AntPathRequestMatcher           - Checking match of request : '/rest/asrv/gtallmmbrsofusrgrp'; against '/app/*.png'
DEBUG AntPathRequestMatcher           - Checking match of request : '/rest/asrv/gtallmmbrsofusrgrp'; against '/admin/*.png'
DEBUG AntPathRequestMatcher           - Checking match of request : '/rest/asrv/gtallmmbrsofusrgrp'; against '/app/**'
DEBUG AntPathRequestMatcher           - Checking match of request : '/rest/asrv/gtallmmbrsofusrgrp'; against '/admin/**'
DEBUG FilterChainProxy                - /rest/asrv/gtallmmbrsofusrgrp has no matching filters
1
springspring-security
From the way you're configuring the namespace, I'm assuming that you're using SS 3.1? Based on the specificity of your question, it seems like you know what you're doing with regards to configuration - are you trying to apply this filter chain instead of the <sec:http> namespace declarations, or in addition to them?Peter Mularien
I'm trying to add these filters to the <sec:http> namespace.Matin Kh
I've update my question @PeterMularien . Now you can see that filter-chain-proxy does not work. Is it my configuration that causes this problem? Do I have to change the order?Matin Kh
From your silence, I'm assuming that this is not possible to use both namespaces and filter-chain. Right?Matin Kh

1 Answers

6
votes

I think you are missing the DelegatingFilterProxy entry in your web.xml. But anyways,

As of Spring 3.1, the FilterChainProxy is configured using a list of SecurityFilterChain instances and FilterChainMap is deprecated. So try configuring it this way:

<bean id="filterChainProxy" class="org.springframework.security.web.FilterChainProxy">
    <constructor-arg>
        <list>
            <sec:filter-chain pattern="/css/**" filters="none" />
            <sec:filter-chain pattern="/common/**" filters="none" />
            <sec:filter-chain pattern="/images/**" filters="none" />
            <sec:filter-chain pattern="/login.jsp*" filters="none" />
            <sec:filter-chain pattern="/rest/**"
                filters="
                ConcurrentSessionFilter,
                securityContextPersistenceFilter,
                logoutFilter,
                authenticationProcessingFilter,
                sessionManagementFilter,
                exceptionTranslationFilter,
                filterSecurityInterceptor" />
        </list>
    </constructor-arg>
</bean>

And add the filter to your web.xml like this: 

<filter>
    <filter-name>filterChainProxy</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>

<filter-mapping>
    <filter-name>filterChainProxy</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

API Documentation

UPDATE 1:

To add logging to your application just put log4j jar on the path and add a log4j.properties file under your classpath.

Log4j.properties:

log4j.rootCategory=INFO, stdout
log4j.appender.stdout=org.apache.log4j.ConsoleAppender
log4j.appender.stdout.layout=org.apache.log4j.PatternLayout
log4j.appender.stdout.layout.ConversionPattern=%d{ISO8601} %-5p %c %M - %m\n

log4j.category.org.springframework.security=DEBUG

See also logging using Log4j

UPDATE 2: It seems to work for me, I have placed a test page welcome.xhtml in rest directory. The debug log is as follows:

2012-07-30 00:26:05,917 DEBUG org.springframework.security.web.util.AntPathRequestMatcher matches - Checking match of request : '/rest/welcome.xhtml'; against '/javax.faces.resource/**'
2012-07-30 00:26:05,923 DEBUG org.springframework.security.web.FilterChainProxy doFilter - /rest/welcome.xhtml at position 1 of 11 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2012-07-30 00:26:05,923 DEBUG org.springframework.security.web.context.HttpSessionSecurityContextRepository readSecurityContextFromSession - No HttpSession currently exists
2012-07-30 00:26:05,923 DEBUG org.springframework.security.web.context.HttpSessionSecurityContextRepository loadContext - No SecurityContext was available from the HttpSession: null. A new one will be created.
2012-07-30 00:26:05,925 DEBUG org.springframework.security.web.FilterChainProxy doFilter - /rest/welcome.xhtml at position 2 of 11 in additional filter chain; firing Filter: 'LogoutFilter'
2012-07-30 00:26:05,925 DEBUG org.springframework.security.web.FilterChainProxy doFilter - /rest/welcome.xhtml at position 3 of 11 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
2012-07-30 00:26:05,925 DEBUG org.springframework.security.web.FilterChainProxy doFilter - /rest/welcome.xhtml at position 4 of 11 in additional filter chain; firing Filter: 'BasicAuthenticationFilter'
2012-07-30 00:26:05,925 DEBUG org.springframework.security.web.FilterChainProxy doFilter - /rest/welcome.xhtml at position 5 of 11 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
2012-07-30 00:26:05,925 DEBUG org.springframework.security.web.FilterChainProxy doFilter - /rest/welcome.xhtml at position 6 of 11 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
2012-07-30 00:26:05,926 DEBUG org.springframework.security.web.FilterChainProxy doFilter - /rest/welcome.xhtml at position 7 of 11 in additional filter chain; firing Filter: 'RememberMeAuthenticationFilter'
2012-07-30 00:26:05,926 DEBUG org.springframework.security.web.FilterChainProxy doFilter - /rest/welcome.xhtml at position 8 of 11 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
2012-07-30 00:26:05,928 DEBUG org.springframework.security.web.authentication.AnonymousAuthenticationFilter doFilter - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@9055c2bc: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS'
2012-07-30 00:26:05,928 DEBUG org.springframework.security.web.FilterChainProxy doFilter - /rest/welcome.xhtml at position 9 of 11 in additional filter chain; firing Filter: 'SessionManagementFilter'
2012-07-30 00:26:05,929 DEBUG org.springframework.security.web.session.SessionManagementFilter doFilter - Requested session IDD44EAA53A767F3DC9C7338D3CD335198 is invalid.
2012-07-30 00:26:05,929 DEBUG org.springframework.security.web.FilterChainProxy doFilter - /rest/welcome.xhtml at position 10 of 11 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
2012-07-30 00:26:05,929 DEBUG org.springframework.security.web.FilterChainProxy doFilter - /rest/welcome.xhtml at position 11 of 11 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
2012-07-30 00:26:05,929 DEBUG org.springframework.security.web.util.AntPathRequestMatcher matches - Checking match of request : '/rest/welcome.xhtml'; against '/login.xhtml'
2012-07-30 00:26:05,929 DEBUG org.springframework.security.web.util.AntPathRequestMatcher matches - Checking match of request : '/rest/welcome.xhtml'; against '/*'
2012-07-30 00:26:05,929 DEBUG org.springframework.security.web.util.AntPathRequestMatcher matches - Checking match of request : '/rest/welcome.xhtml'; against '/admin/**'
2012-07-30 00:26:05,930 DEBUG org.springframework.security.web.access.intercept.FilterSecurityInterceptor beforeInvocation - Public object - authentication not attempted
2012-07-30 00:26:05,932 DEBUG org.springframework.security.web.FilterChainProxy doFilter - /rest/welcome.xhtml reached end of additional filter chain; proceeding with original chain
2012-07-30 00:26:06,229 DEBUG org.springframework.security.web.access.ExceptionTranslationFilter doFilter - Chain processed normally

I think it is the two form logins that you have is causing problems. Try to have only one login form and control the navigation after that based on the role. See this question for example: Can i use one Login page to redirect different page with Spring 3.0 Security..?