Issue with web.xml mapping of Security and URLREWrite filters

I am trying to use Spring Security and the URLRewwriteFilter
my config looks like this

I saw some other threads but couldn't see how I can alter my config to make this work.

Code:

---

My Spring Security Config

<security:global-method-security pre-post-annotations="enabled">
        <!-- AspectJ pointcut expression that locates our "post" method and applies security that way
        <protect-pointcut expression="execution(* bigbank.*Service.post*(..))" access="ROLE_TELLER"/>
        -->
    </security:global-method-security>

    <security:http use-expressions="true">
        <!-- <security:intercept-url pattern="/secure/extreme/**" access="hasRole('ROLE_SUPERVISOR')"/>  -->
        <security:intercept-url pattern="/**" access="isAuthenticated()" />
        <!-- Disable web URI authorization, as we're using <global-method-security> and have @Secured the services layer instead
        <intercept-url pattern="/listAccounts.html" access="isRememberMe()" />
        <intercept-url pattern="/post.html" access="hasRole('ROLE_TELLER')" />
       
        <security:intercept-url pattern="/**" access="permitAll" />
        -->
        <security:form-login />
        <security:logout />
        <security:remember-me />
<!--
    Uncomment to enable X509 client authentication support
        <x509 />
-->
        <!-- Uncomment to limit the number of sessions a user can have -->
        <security:session-management>
            <security:concurrency-control max-sessions="1" error-if-maximum-exceeded="true" />
        </security:session-management>

    </security:http>

My web.xml

<!-- Enables clean URLs with JSP views e.g. /welcome instead of /app/welcome -->
       
        <filter>
                <filter-name>UrlRewriteFilter</filter-name>
                <filter-class>org.tuckey.web.filters.urlrewrite.UrlRewriteFilter</filter-class>
        </filter>

        <filter-mapping>
                <filter-name>UrlRewriteFilter</filter-name>
                <url-pattern>/*</url-pattern>
        </filter-mapping>

<!-- The master configuration file for this Spring web application -->
        <context-param>
                <param-name>contextConfigLocation</param-name>
                <param-value>
                        /WEB-INF/config/web-application-config.xml
                </param-value>
        </context-param>
       
       
       
        <!-- Loads the Spring web application context -->
        <listener>
                <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
        </listener>

        <listener>
                <listener-class>org.springframework.web.util.Log4jConfigListener</listener-class>
        </listener>


<!-- Enables Spring Security -->
        <filter>
        <filter-name>springSecurityFilterChain</filter-name>
        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    </filter>

    <filter-mapping>
      <filter-name>springSecurityFilterChain</filter-name>
      <url-pattern>/*</url-pattern>
    </filter-mapping>

          <!-- Serves static resource content from .jar files such as spring-faces.jar -->
        <servlet>
                <servlet-name>Resources Servlet</servlet-name>
                <servlet-class>org.springframework.js.resource.ResourceServlet</servlet-class>
                <load-on-startup>0</load-on-startup>
        </servlet>
               
        <!-- Map all /resources requests to the Resource Servlet for handling -->
        <servlet-mapping>
                <servlet-name>Resources Servlet</servlet-name>
                <url-pattern>/resources/*</url-pattern>
        </servlet-mapping>
       
        <!-- The front controller of this Spring Web application, responsible for handling all application requests -->
        <servlet>
                <servlet-name>Spring MVC Dispatcher Servlet</servlet-name>
                <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
                <init-param>
                        <param-name>contextConfigLocation</param-name>
                        <param-value></param-value>
                </init-param>
                <load-on-startup>1</load-on-startup>
        </servlet>
               
        <!-- Map all *.spring requests to the DispatcherServlet for handling -->
        <servlet-mapping>
                <servlet-name>Spring MVC Dispatcher Servlet</servlet-name>
                <url-pattern>/app/*</url-pattern>
        </servlet-mapping>

---

my problem is that when I enable the URLRewrite Filter in the web.xml the security filter stops working
without the rewrite it works perfect

Is there any explanation for this issue? I need to get urlrewrite to work with Spring Security, but there are no tutorials or help on this issue!!!

You'll need to explain what the issue is first. All the original post effectively says is that "It doesn't work" when the URLRewriteFilter is added. This isn't really an adequate description of a technical problem and thus is unlikely to get any useful answers.

Presumably you haven't searched the web, since you say there are no tutorials or help available. 'UrlRewriteFilter "spring security"' in google throws up a lot of material, e.g.:

http://stackoverflow.com/questions/1...th-tuckey.html

http://nonrepeatable.blogspot.com/20...th-tuckey.html

If those don't describe your situation, then you need to refer to them and explain why not. And above all you need to monitor the effect of rewriting of URLs, both incoming and outgoing to make sure they are consistent with your setup and your Spring Security configuration.

I actually found your second link (http://nonrepeatable.blogspot.com/20...th-tuckey.html) and I did what it suggested, but it didn't actually work, because Spring Dispatcher Servlet is still taking requests for Spring Security login page etc.

But fortunately I managed to handle this issue by adding exceptions to urlrewriter configuration, so that urls reserved for spring security won't be redirected to Spring Dispatcher Servlet.

Quote:

---

Originally Posted by __dev18

I actually found your second link (http://nonrepeatable.blogspot.com/20...th-tuckey.html) and I did what it suggested, but it didn't actually work, because Spring Dispatcher Servlet is still taking requests for Spring Security login page etc.

But fortunately I managed to handle this issue by adding exceptions to urlrewriter configuration, so that urls reserved for spring security won't be redirected to Spring Dispatcher Servlet.

---

How did you add exception?

I'm using following way.

1. In urlrewritefilter.xml I handle spring security urls as following:

Code:

---

<rule>
        <from>^/webapp/login$</from>
        <to>/login</to>
</rule>
<rule>
        <from>^/webapp/login$</from>
        <to>/login</to>
</rule>
<outbound-rule>
        <from>/webapp/login(.*)$</from>
        <to>/login$1</to>
</outbound-rule>
<outbound-rule>
        <from>/webapp/**</from>
        <to>/$1</to>
</outbound-rule>

---

2. In web.xml

Code:

---

<filter>
        <filter-name>UrlRewriteFilter</filter-name>
        <filter-class>org.tuckey.web.filters.urlrewrite.UrlRewriteFilter</filter-class>
</filter>

<filter-mapping>
        <filter-name>UrlRewriteFilter</filter-name>
        <url-pattern>/*</url-pattern>
        <dispatcher>REQUEST</dispatcher>
</filter-mapping>

<filter>
        <filter-name>springSecurityFilterChain</filter-name>
        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
        <filter-name>springSecurityFilterChain</filter-name>
        <url-pattern>/*</url-pattern>
        <dispatcher>REQUEST</dispatcher>
        <dispatcher>FORWARD</dispatcher>
        <dispatcher>INCLUDE</dispatcher>
        <dispatcher>ERROR</dispatcher>
</filter-mapping>

<servlet>
        <servlet-name>my-dispatcher</servlet-name>
        <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
        <init-param>
                <param-name>contextConfigLocation</param-name>
                <param-value></param-value>
        </init-param>
        <load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
        <servlet-name>my-dispatcher</servlet-name>
        <url-pattern>/webapp/*</url-pattern>
</servlet-mapping>

---

3. Spring security config:

Code:

---

<http auto-config="true" use-expressions="true">
        <intercept-url pattern="/webapp/login.jsp" method="GET" filters="none" />
        <intercept-url pattern="/images/*" filters="none" />
        <intercept-url pattern="/css/*" filters="none" />
        <intercept-url pattern="/js/*" filters="none" />
        <intercept-url pattern="/webapp/admin/**" access="hasRole('ROLE_ADMIN')" />
        <intercept-url pattern="/webapp/**" access="permitAll" />
        <form-login login-processing-url="/webapp/login.jspx"
                login-page="/webapp/login.jsp" default-target-url="/webapp/usercp.jsp"
                always-use-default-target="true" authentication-failure-url="/webapp/login.jsp?login_error=1" />

        <logout logout-url="/webapp/logout.jspx" logout-success-url="/webapp/login.jsp" />
        <anonymous granted-authority="ROLE_ANONYMOUS" />
        <remember-me user-service-ref="userDAO" />
        <access-denied-handler error-page="/webapp/access-denied" />
</http>

---

So my web url is like following:
http://localhost:8080/mywebappcontext/webapp/welcome
http://localhost:8080/mywebappcontext/webapp/login
http://localhost:8080/mywebappcontext/webapp/users
etc

So login url is:
http://localhost:8080/mywebappcontext/webapp/login

and logout url is:
logout.jspx

Is there any better way to use spring security and urlrewrite filter?
I don't like to use /webapp/ section in url, because <c:url> omitting /webapp/ section when using with virtual host in tomcat.