Default accessDecisionManager in FilterSecurityInterceptor

[kostepanych]

There is a typical configuration example in reference:

Code:

<bean id="filterSecurityInterceptor"
class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor">
<property name="authenticationManager" ref="authenticationManager"/>
<property name="accessDecisionManager" ref="accessDecisionManager"/>
<property name="securityMetadataSource">
<security:filter-security-metadata-source>
<security:intercept-url pattern="/secure/super/**" access="ROLE_WE_DONT_HAVE"/>
<security:intercept-url pattern="/secure/**" access="ROLE_SUPERVISOR,ROLE_TELLER"/>
</security:filter-security-metadata-source>
</property>
</bean>

accessDecisionManager property is required there.
But I don't need custom accessDecisionManager implementation. So how to set default accessDecisionManager?

I only need to sequre URLs by role and expression based access control to methods, such as:

Code:

@PreAuthorize("hasRole('ROLE_USER')")
public void create(Contact contact);

[amiladomingo]

why don't you use namespace-based configurations? then you won't need to set an AccessDesionManager.

If you do the spring beans version, you will have to configure the AccessDesionManager

[amiladomingo]

Following configuration should work for you,

Code:

<beans xmlns="http://www.springframework.org/schema/beans"
	xmlns:security="http://www.springframework.org/schema/security"
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xsi:schemaLocation="http://www.springframework.org/schema/beans
          http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
          http://www.springframework.org/schema/security
          http://www.springframework.org/schema/security/spring-security-3.0.3.xsd">

	<security:global-method-security
		secured-annotations="enabled" jsr250-annotations="enabled" />

	<security:http auto-config="true">
		<security:intercept-url pattern="/secure/super/**" access="ROLE_WE_DONT_HAVE"/>
		<security:intercept-url pattern="/secure/**" access="ROLE_SUPERVISOR,ROLE_TELLER"/>
	</security:http>
	
	<security:authentication-manager alias="authenticationManager">
		<security:authentication-provider
			ref="daoAuthenticationProvider" />
	</security:authentication-manager>

	<bean id="daoAuthenticationProvider"
		class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
		<!-- Your properties -->
	</bean>
</beans>

Just assuming you are using a DaoAuthenticationProvider

[skram]

There is a typical configuration example in reference:

Code:

<bean id="filterSecurityInterceptor"
class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor">
<property name="authenticationManager" ref="authenticationManager"/>
<property name="accessDecisionManager" ref="accessDecisionManager"/>
<property name="securityMetadataSource">
<security:filter-security-metadata-source>
<security:intercept-url pattern="/secure/super/**" access="ROLE_WE_DONT_HAVE"/>
<security:intercept-url pattern="/secure/**" access="ROLE_SUPERVISOR,ROLE_TELLER"/>
</security:filter-security-metadata-source>
</property>
</bean>

accessDecisionManager property is required there.
But I don't need custom accessDecisionManager implementation. So how to set default accessDecisionManager?

I only need to sequre URLs by role and expression based access control to methods, such as:

Code:

@PreAuthorize("hasRole('ROLE_USER')")
public void create(Contact contact);

I'm just wondering how is this a typical configuration? It seems more of a customized configuration

[moaxgeni]

Late post, but this example is considered "typical" because it's the example Spring documentation uses to show the filter configuration:
http://static.springsource.org/sprin...b-filters.html

On a sidenote, I assume the original question had to do instead with configuring filterchainproxies, which in case, you'd have to configure all filters manually, which is why he isn't using <http> to configure access filtering.