Bean based configuration and filters="none"

**kmansoor** · Nov 16th, 2011, 04:49 PM

Hello All-
I recently switched from <http auto-config='true'...> to bean based configuration.

Background:
I have a pre-auth scenario (Apache + Shibboleth)

All the css, js and images are under /resources

I would like to use filters="none" for /resources (as I used to when using <http>), however it results in:

Code:

Bean 'fsi'; nested exception is org.springframework.beans.factory.parsing.BeanDefinitionParsingException: Configuration problem: The attribute 'filters' isn't allowed here.

Code:

<bean id="fsi"
		class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor">
		<property name="authenticationManager" ref="authenticationManager" />
		<property name="accessDecisionManager" ref="httpRequestAccessDecisionManager" />
		<property name="securityMetadataSource">
			<security:filter-security-metadata-source
				use-expressions="true">
				<security:intercept-url pattern="/resources/**"
					filters="none" />
				<security:intercept-url pattern="/login*"
					access="permitAll" />
				<security:intercept-url pattern="/logout*"
					access="permitAll" />
				<security:intercept-url pattern="/newlogin"
					access="hasRole('ROLE_USER')" />
				<security:intercept-url pattern="/**"
					access="hasRole('ROLE_USER')" />
			</security:filter-security-metadata-source>
		</property>
	</bean>

I do have WebExpressionVoter defined:

Code:

<bean id="httpRequestAccessDecisionManager"
		class="org.springframework.security.access.vote.AffirmativeBased">
		<property name="allowIfAllAbstainDecisions" value="false" />
		<property name="decisionVoters">
			<list>
				<ref bean="roleVoter" />
				<ref bean="webExpVoter" />
			</list>
		</property>
	</bean>

<bean id="webExpVoter"
		class="org.springframework.security.web.access.expression.WebExpressionVoter" />

Is it not possible in bean based configurations?
Any help will be highly appreciated.
Thanks.

**arthomps** · Nov 16th, 2011, 10:11 PM

The version for spring security matters with regards to your question. For more recent versions, you should change "filters="none"" to "access="permitAll""

**kmansoor** · Nov 17th, 2011, 10:03 AM

I'm using Spring Security 3.0.5.

I was under the impression

Code:

filters="none"

is a bit more efficient (especially for static resources, such as css & js) than

Code:

access="permitAll"

as the former completely circumvents authorization as opposed to the latter where authorization still happens with a true for all.

Is this not correct?

**Luke Taylor** · Nov 17th, 2011, 01:37 PM

You are confusing configuration of the FilterSecurityInterceptor with the FilterChainProxy. The latter maintains the filter chains which requests are mapped to - you should configure an empty filter chain for the pattern you wish to have omitted from Spring Security's handling.

Using filters="none" within the FilterSecurityInterceptor configuration does not make any sense, as it is a single filter within the security filter chain.

**kmansoor** · Nov 17th, 2011, 02:08 PM

Changed the filterChain to

Code:

<beans:bean id="springSecurityFilterChain"
		class="org.springframework.security.web.FilterChainProxy">
		<filter-chain-map path-type="ant">
			<filter-chain pattern="/resources/**" filters="none" />
			<filter-chain pattern="/**"
				filters="sif,shibbolethFilter,logoutFilter,etf,fsi" />

		</filter-chain-map>
	</beans:bean>

Thanks a lot for explaining.

Thread: Bean based configuration and filters="none"

Thread Tools

Display

Bean based configuration and filters="none"

Tags for this Thread

Posting Permissions