Results 1 to 3 of 3

Thread: stripQueryStringFromUrls missing from filter-security-metadata-source?

  1. Jan 10th, 2011, 02:07 PM #1
    Joseph Caristi
    Joseph Caristi is offline Junior Member
    Join Date
    Aug 2007
    Posts
    15

    Default stripQueryStringFromUrls missing from filter-security-metadata-source?

    I am using Spring Security to secure an application that has both web pages and web services. I just migrated from Spring Security 2.x to 3.0.5. My configuration allows clients to load wsdl and xsd files using anonymous authentication. After upgrading (and reconfiguring for the new packages, etc.) , this is no longer functioning properly. The way that I am attempting to get this to work is by configuring the FilterChainProxy with "stripQueryFromUrls" as follows:

    <bean id="securityFilter" class="org.springframework.security.web.FilterChai nProxy">
    <property name="stripQueryStringFromUrls" value="false" />
    <security:filter-chain-map path-type="ant">
    <security:filter-chain pattern="/services/*?wsdl"
    filters="httpSessionContextIntegrationFilterWithAS CFalse,
    basicAuthenticationFilter,anonymousAuthenticationF ilter,
    basicExceptionTranslationFilter,
    filterSecurityInterceptor" />
    etc...

    This part works with SpringSecurity 3.0.5. The problem I am having is when I get to the FilterSecurityInterceptor. The default behavior now seems to be that query strings are stripped from URLs, and there doesn't seem to be a way to change this using the security name space. I also tried to define my own DefaultFilterInvocationSecurityMetadataSource in order to set the stripQueryStringFromUrls property manually, but I haven't been able to figure out how to configure it. I have copied part of my configuration below. Does anyone know how I can get this to work?

    <bean id="filterSecurityInterceptor" class="org.springframework.security.web.access.int ercept.FilterSecurityInterceptor">
    <property name="authenticationManager" ref="authenticationManager" />
    <property name="accessDecisionManager" ref="accessDecisionManager" />
    <property name="securityMetadataSource">
    <security:filter-security-metadata-source>
    <security:intercept-url pattern='/services/*?wsdl'
    access='ROLE_ANONYMOUS' />
    etc...
    Reply With Quote Reply With Quote
  2. Jan 10th, 2011, 05:26 PM #2
    Rob Winch
    Rob Winch is offline Senior Member Spring Team
    Join Date
    Jan 2008
    Posts
    1,833

    Default

    This is happening because the Spring Security namespace does not include the query string for ant based patterns by default. If you switch to http@path-type="regex" it will use them. If you want to use ant style path matching and still use the namespace I would recommend looking at the FAQ as it explains how to configure beans that are created by the namespace schema if the namespace does not support it.

    PS: In the future, please use code tags (i.e. the # button) to make your posts more readable.
    Rob Winch
    Twitter @rob_winch
    Spring Security Lead
    Spring by Pivotal
    Reply With Quote Reply With Quote
  3. Jan 11th, 2011, 08:26 AM #3
    Joseph Caristi
    Joseph Caristi is offline Junior Member
    Join Date
    Aug 2007
    Posts
    15

    Default

    Thank you! This is exactly what I needed. I will consider the regex path matching. In the meantime, the BeanPostProcessor worked. Here is my solution:

    Code:
    @Override
public Object postProcessAfterInitialization(Object bean, String beanName)
			throws BeansException {
	if (bean instanceof DefaultFilterInvocationSecurityMetadataSource) {
			log.info("********* Post-processing " + beanName);
			((DefaultFilterInvocationSecurityMetadataSource) bean)
					.setStripQueryStringFromUrls(false);
	}
	return bean;
}
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules