Problem with adding Custom Filter in security filter stack...

[sreekanth.nair]

<sec:http auto-config="false" access-denied-page="/login/accessDenied.jsp" entry-point-ref="authenticationEntryPoint">
<sec:intercept-url pattern="/login/securityLogin.jsp*" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<sec:intercept-url pattern="/**" requires-channel="any" />
<sec:custom-filter ref="concurrentSessionFilter"/>
<sec:custom-filter ref="securityContextPersistenceFilter"/>
<sec:custom-filter ref="logoutFilter"/>
<sec:custom-filter ref="simpleSSOFilter"/>
<sec:custom-filter ref="authenticationProcessingFilter"/>
<sec:custom-filter ref="securityContextHolderAwareRequestFilter"/>
<sec:custom-filter ref="rememberMeAuthenticationFilter"/>
<sec:custom-filter ref="anonymousAuthenticationFilter"/>
<sec:custom-filter ref="exceptionTranslationFilter"/>
<sec:custom-filter ref="filterSecurityInterceptor"/>
<sec:session-management invalid-session-url="/login/securityLogin.jsp">
<sec:concurrency-control error-if-maximum-exceeded="true" max-sessions="1" session-registry-ref="sessionRegistry" expired-url="/login/securityLogin.jsp"/>
</sec:session-management>
</sec:http>


In this one all this filters are custom implementation except simpleSSOFilter all are customized version of sprinf standard security filters.

The problem is while specifying position for this filter chain like below its not working

<sec:http auto-config="false" access-denied-page="/login/accessDenied.jsp" entry-point-ref="authenticationEntryPoint">
<sec:intercept-url pattern="/login/securityLogin.jsp*" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<sec:intercept-url pattern="/**" requires-channel="any" />
<sec:custom-filter ref="concurrentSessionFilter" position="FIRST"/>
<sec:custom-filter ref="securityContextPersistenceFilter" after="CONCURRENT_SESSION_FILTER"/>
<sec:custom-filter ref="logoutFilter" after="SECURITY_CONTEXT_FILTER"/>
<sec:custom-filter ref="simpleSSOFilter" after="LOGOUT_FILTER"/>
<sec:custom-filter ref="authenticationProcessingFilter" after="LOGOUT_FILTER"/>
<sec:custom-filter ref="securityContextHolderAwareRequestFilter" after="FORM_LOGIN_FILTER"/>
<sec:custom-filter ref="rememberMeAuthenticationFilter" after="SERVLET_API_SUPPORT_FILTER"/>
<sec:custom-filter ref="anonymousAuthenticationFilter" after="REMEMBER_ME_FILTER"/>
<sec:custom-filter ref="exceptionTranslationFilter" after="ANONYMOUS_FILTER"/>
<sec:custom-filter ref="filterSecurityInterceptor" after="EXCEPTION_TRANSLATION_FILTER"/>
<sec:session-management invalid-session-url="/login/securityLogin.jsp">
<sec:concurrency-control error-if-maximum-exceeded="true" max-sessions="1" session-registry-ref="sessionRegistry" expired-url="/login/securityLogin.jsp"/>
</sec:session-management>
</sec:http>


I want this simpleSSOFIlter to be executed after the LOGOUT_FILTER.


Please let me know if any one knows how to configure all this custom filters.


Acegi-Security was so straight forward where Spring security is getting confused with this configuration.

[rohan123]

is it invoking or not at all ?

[sreekanth.nair]

Its invoking but its throwing some exception while deployment like Filter can not have same precedence. Please let me know how do i stack this Filter

[Rob Winch]

In this configuration you have specified two filters as after LOGOUT_FILTER. Since Spring Security does not know which of the two Filters should be first it will report an error. So instead make the first of these two filters after LOGOUT_FILTER and the one that you want after that marked as before X509_FILTER (which is the filter right after LOGOUT_FILTER).

[rohan123]

you having 2 filters at same location. so its throwing exception

[sreekanth.nair]

Thanks... I will check that and let you know if it works...

[sreekanth.nair]

14:28:21,775 ERROR [org.springframework.web.context.ContextLoader] (MSC service thread 1-2) Context initialization failed: org.springframework.beans.factory.BeanCreationExce ption: Error creating bean with name 'org.springframework.security.filterChainProxy': Invocation of init method failed; nested exception is java.lang.ClassCastException: org.egov.infstr.security.acegi.EGovFilterInvocatio nDefinitionSource cannot be cast to org.springframework.security.web.access.intercept. DefaultFilterInvocationSecurityMetadataSource
at org.springframework.beans.factory.support.Abstract AutowireCapableBeanFactory.initializeBean(Abstract AutowireCapableBeanFactory.java:1445) [org.springframework.beans-3.1.0.RC1.jar:]
at org.springframework.beans.factory.support.Abstract AutowireCapableBeanFactory.doCreateBean(AbstractAu towireCapableBeanFactory.java:522) [org.springframework.beans-3.1.0.RC1.jar:]
at org.springframework.beans.factory.support.Abstract AutowireCapableBeanFactory.createBean(AbstractAuto wireCapableBeanFactory.java:459) [org.springframework.beans-3.1.0.RC1.jar:]
at org.springframework.beans.factory.support.Abstract BeanFactory$1.getObject(AbstractBeanFactory.java:2 94) [org.springframework.beans-3.1.0.RC1.jar:]
at org.springframework.beans.factory.support.DefaultS ingletonBeanRegistry.getSingleton(DefaultSingleton BeanRegistry.java:225) [org.springframework.beans-3.1.0.RC1.jar:]
at org.springframework.beans.factory.support.Abstract BeanFactory.doGetBean(AbstractBeanFactory.java:291 ) [org.springframework.beans-3.1.0.RC1.jar:]
at org.springframework.beans.factory.support.Abstract BeanFactory.getBean(AbstractBeanFactory.java:193) [org.springframework.beans-3.1.0.RC1.jar:]
at org.springframework.beans.factory.support.DefaultL istableBeanFactory.preInstantiateSingletons(Defaul tListableBeanFactory.java:585) [org.springframework.beans-3.1.0.RC1.jar:]
at org.springframework.context.support.AbstractApplic ationContext.finishBeanFactoryInitialization(Abstr actApplicationContext.java:913) [org.springframework.context-3.1.0.RC1.jar:]
at org.springframework.context.support.AbstractApplic ationContext.refresh(AbstractApplicationContext.ja va:464) [org.springframework.context-3.1.0.RC1.jar:]
at org.springframework.web.context.ContextLoader.conf igureAndRefreshWebApplicationContext(ContextLoader .java:381) [org.springframework.web-3.1.0.RC1.jar:]
at org.springframework.web.context.ContextLoader.init WebApplicationContext(ContextLoader.java:283) [org.springframework.web-3.1.0.RC1.jar:]
at org.springframework.web.context.ContextLoaderListe ner.contextInitialized(ContextLoaderListener.java: 111) [org.springframework.web-3.1.0.RC1.jar:]


org.egov.infstr.security.acegi.EGovFilterInvocatio nDefinitionSource is our custom implementation for org.springframework.security.web.access.intercept. FilterInvocationSecurityMetadataSource


I guess its a BUG...

Can anyone can confirm why its happening ?

[rohan123]

can you post some other relevant code? because it looks like acegi class cant be cast to spring. This is true so if you post other code then it could be identifiable for us. Also for better readability use tag.

[sreekanth.nair]

This is my custom FilterInvocation

Code:

import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.List;
import java.util.Set;
import java.util.Vector;

import org.springframework.security.access.ConfigAttribute;
import org.springframework.security.access.SecurityConfig;
import org.springframework.security.web.FilterInvocation;
import org.springframework.security.web.access.intercept.FilterInvocationSecurityMetadataSource;


public class MyFilterInvocationDefinitionSource implements FilterInvocationSecurityMetadataSource {
	
	
	@Override
	public Collection<ConfigAttribute> getAttributes(Object object) throws IllegalArgumentException {
		if ((object == null) || !this.supports(object.getClass())) {
			throw new IllegalArgumentException("Object must be a FilterInvocation");
		}
		FilterInvocation invocation = (FilterInvocation) object;
		String url = invocation.getRequestUrl();
		String contextRoot = invocation.getHttpRequest().getContextPath();
		return lookupAttributes(contextRoot, url);
	}
	
	public List<ConfigAttribute> lookupAttributes(String contextPath, String url) {
		.............
                // some custom logic and and returns the config attribute 
		return configAttributes;
			
	}
	
	@Override
	public Collection<ConfigAttribute> getAllConfigAttributes() {
		return Collections.unmodifiableCollection(new ArrayList<ConfigAttribute>());

	}
	
	@Override
	public boolean supports(Class<?> clazz) {
		return FilterInvocation.class.isAssignableFrom(clazz);
	}
}