Confusion in Spring Security Filter Chain

0
votes

I have just started to look into Spring security. I am reading Spring Security reference guide. Here it is written as

Using filters="none" operates by creating an empty filter chain in Spring Security's FilterChainProxy, whereas the access attributes are used to configure the FilterSecurityInterceptor in the single filter chain which is created by the namespace configuration. The two are applied independently, so if you have an access contraint for a sub-pattern of a pattern which has a filters="none" attribute, the access constraint will be ignored, even if it is listed first. It isn't possible to apply a filters="none" attribute to the pattern /** since this is used by the namespace filter chain. In version 3.1 things are more flexible. You can define multiple filter chains and the filters attribute is no longer supported.

Can someone elaborate on this note from reference documentation?

1
javaspringspring-security

1 Answers

2
votes

Prior to spring 3.1 suppose yopu want to allow access to a particular url/pattern i.e. you dont want spring security to be applied on it, you can add 

<sec:intercept-url pattern="/nonsecure/**" filters="none" />

Here filters =none create s an empty security filter chain and hence this resource is not secured by spring security.

Even if you add access attribute along with filters="none", it will be igonred.

for spring 3.1 and above you can define multiple filter chains like

<security:http pattern="/nonsecure/**" security="none"/>

 <security:http pattern="/secure/**" >
....other security config
</security:http>