Error: "IllegalArgumentException: A universal match pattern ('/**') is defined..."
Hi Everyone,
I am seeing an issue with my configuration. It is causing a Spring Security error:
Code:
Caused by: java.lang.IllegalArgumentException: A universal match pattern ('/**') is defined before other patterns in the filter chain, causing them to be ignored. Please check the ordering in your <s
ecurity:http> namespace or FilterChainProxy bean configuration
at org.springframework.security.config.http.DefaultFilterChainValidator.checkPathOrder(DefaultFilterChainValidator.java:49)
at org.springframework.security.config.http.DefaultFilterChainValidator.validate(DefaultFilterChainValidator.java:39)
at org.springframework.security.web.FilterChainProxy.afterPropertiesSet(FilterChainProxy.java:148)
I am using Spring Framework 3.0.6.RELEASE, plus the following Spring Security libraries:
Code:
spring-security-config-3.1.0.RELEASE.jar
spring-security-core-3.1.0.RELEASE.jar
spring-security-crypto-3.1.0.RELEASE.jar
spring-security-oauth-1.0.0.M5.jar
spring-security-oauth2-1.0.0.M5.jar
spring-security-web-3.1.0.RELEASE.jar
My OAuth2 security configuration is below. Most of which were copied out of the Sparklr sample app:
Code:
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:p="http://www.springframework.org/schema/p"
xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2 http://www.springframework.org/schema/security/spring-security-oauth2-1.0.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd">
<oauth:authorization-server client-details-service-ref="storews.clientDetailsService" token-services-ref="storews.tokenServices">
<oauth:authorization-code />
<oauth:implicit disabled="true" />
<oauth:refresh-token disabled="true" />
<oauth:client-credentials disabled="true" />
<oauth:password disabled="true" />
</oauth:authorization-server>
<!-- AUTH ENDPOINT -->
<http access-denied-page="/oauth/login.jsp" access-decision-manager-ref="storews.accessDecisionManager" xmlns="http://www.springframework.org/schema/security">
<!-- This needs to be anonymous so that the auth endpoint can handle oauth errors itself -->
<intercept-url pattern="/oauth/authorize" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<intercept-url pattern="/oauth/**" access="ROLE_USER" />
<intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY,DENY_OAUTH" />
<form-login authentication-failure-url="/oauth/login.jsp" default-target-url="/index.jsp" login-page="/oauth/login.jsp"
login-processing-url="/login.do" />
<logout logout-success-url="/index.jsp" logout-url="/logout.do" />
<anonymous />
<custom-filter ref="storews.resourceServerFilter" before="EXCEPTION_TRANSLATION_FILTER" />
</http>
<oauth:resource-server id="storews.resourceServerFilter" token-services-ref="storews.tokenServices" />
<bean id="storews.accessDecisionManager" class="org.springframework.security.access.vote.UnanimousBased">
<constructor-arg>
<list>
<bean class="org.springframework.security.oauth2.provider.vote.ScopeVoter" />
<bean class="org.springframework.security.access.vote.RoleVoter" />
<bean class="org.springframework.security.access.vote.AuthenticatedVoter" />
</list>
</constructor-arg>
</bean>
<!-- Token Endpoint -->
<http create-session="never" xmlns="http://www.springframework.org/schema/security"
authentication-manager-ref="storews.clientAuthenticationManager">
<intercept-url pattern="/oauth/token" access="IS_AUTHENTICATED_FULLY" />
<anonymous enabled="false" />
<http-basic />
<custom-filter ref="storews.clientCredentialsTokenEndpointFilter" before="BASIC_AUTH_FILTER" />
</http>
<bean id="storews.clientCredentialsTokenEndpointFilter"
class="com.company.security.oauth2.filter.ClientMacAuthorizationTokenEndpointFilter"
p:authenticationManager-ref="storews.clientAuthenticationManager" />
<authentication-manager alias="storews.clientAuthenticationManager" xmlns="http://www.springframework.org/schema/security">
<authentication-provider user-service-ref="storews.clientDetailsUserDetailsService" />
</authentication-manager>
<bean id="storews.clientDetailsUserDetailsService" class="com.company.security.oauth2.ClientDetailsUserDetailsService"
p:clientDetailsService-ref="storews.clientDetailsService" />
<oauth:client-details-service id="storews.clientDetailsService">
<oauth:client client-id="myClientId"
secret="secret"
authorized-grant-types="authorization_code"
authorities="ROLE_TRUSTED_CLIENT"
redirect-uri="https://shop.clientcompany.com/oauth/return" />
</oauth:client-details-service>
<bean id="storews.tokenServices" class="org.springframework.security.oauth2.provider.token.RandomValueTokenServices"
p:accessTokenValiditySeconds="31536000" p:supportRefreshToken="false">
<property name="tokenStore">
<bean class="org.springframework.security.oauth2.provider.token.InMemoryTokenStore" />
</property>
</bean>
</beans>
If I remove the "AUTH ENDPOINT" <http> element, the stack trace goes away. I tried removing individual <intercept-url> elements, but the error persists.
Am I doing something wrong, or is this a known issue?
Thank you!
