SS 2.0.1 filter-chain-map

[Benito]

I'm trying to set up Spring Security 2.0.1 for web services and also a website from the same site and port, but am having difficulty with it.

I want to set up a webapp, so that anything with a URL starting with /services uses basic http auth, and fails with a 401, which is SOAP client friendly; and that unauthorized web page requests should be redirected to an HTML login page.

I'm developing it with IntelliJ, using its autocompletion options, but also manually reading the XSD for the tag format.

I'm following the documentation here
[http]static.springframework.org/spring-security/site/reference/html/supporting-infrastructure.html#filters
to set up custom filter chains,

I've modified this to use the new namespace configuration, so the section of my security.xml looks like this:

Code:

<filter-chain-map path-type="ant">
        <filter-chain pattern="/services/**" filters="httpSessionContextIntegrationFilterWithASCFalse,basicProcessingFilter,exceptionTranslationFilter,filterSecurityInterceptor"/>
        <filter-chain pattern="/**" filters="httpSessionContextIntegrationFilterWithASCTrue,authenticationProcessingFilter,exceptionTranslationFilter,filterSecurityInterceptor"/>
    </filter-chain-map>

and this is the relevant section of my web.xml:

Code:

    <filter>
        <filter-name>securityFilter</filter-name>
        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
        <init-param>
            <param-name>targetBeanName</param-name>
            <param-value>springSecurityFilterChain</param-value>
        </init-param>
    </filter>

but when I try to run it, in Jetty, I get the following stacktrace

Code:

org.springframework.beans.factory.parsing.BeanDefinitionParsingException: Configuration problem: Cannot locate BeanDefinitionParser for element [filter-cha
in-map]
Offending resource: ServletContext resource [/WEB-INF/security.xml]
        at org.springframework.beans.factory.parsing.FailFastProblemReporter.fatal(FailFastProblemReporter.java:59)
        at org.springframework.beans.factory.parsing.ReaderContext.fatal(ReaderContext.java:68)
        at org.springframework.beans.factory.parsing.ReaderContext.fatal(ReaderContext.java:55)
        at org.springframework.beans.factory.xml.NamespaceHandlerSupport.findParserForElement(NamespaceHandlerSupport.java:79)
        at org.springframework.beans.factory.xml.NamespaceHandlerSupport.parse(NamespaceHandlerSupport.java:69)
        at org.springframework.beans.factory.xml.BeanDefinitionParserDelegate.parseCustomElement(BeanDefinitionParserDelegate.java:1253)
        at org.springframework.beans.factory.xml.BeanDefinitionParserDelegate.parseCustomElement(BeanDefinitionParserDelegate.java:1243)
        at org.springframework.beans.factory.xml.DefaultBeanDefinitionDocumentReader.parseBeanDefinitions(DefaultBeanDefinitionDocumentReader.java:135)
        at org.springframework.beans.factory.xml.DefaultBeanDefinitionDocumentReader.registerBeanDefinitions(DefaultBeanDefinitionDocumentReader.java:92)
        at org.springframework.beans.factory.xml.XmlBeanDefinitionReader.registerBeanDefinitions(XmlBeanDefinitionReader.java:507)
        at org.springframework.beans.factory.xml.XmlBeanDefinitionReader.doLoadBeanDefinitions(XmlBeanDefinitionReader.java:398)
        at org.springframework.beans.factory.xml.XmlBeanDefinitionReader.loadBeanDefinitions(XmlBeanDefinitionReader.java:342)
        at org.springframework.beans.factory.xml.XmlBeanDefinitionReader.loadBeanDefinitions(XmlBeanDefinitionReader.java:310)
        at org.springframework.beans.factory.support.AbstractBeanDefinitionReader.loadBeanDefinitions(AbstractBeanDefinitionReader.java:143)
        at org.springframework.beans.factory.support.AbstractBeanDefinitionReader.loadBeanDefinitions(AbstractBeanDefinitionReader.java:178)
        at org.springframework.beans.factory.support.AbstractBeanDefinitionReader.loadBeanDefinitions(AbstractBeanDefinitionReader.java:149)
        at org.springframework.web.context.support.XmlWebApplicationContext.loadBeanDefinitions(XmlWebApplicationContext.java:124)
        at org.springframework.web.context.support.XmlWebApplicationContext.loadBeanDefinitions(XmlWebApplicationContext.java:92)
        at org.springframework.context.support.AbstractRefreshableApplicationContext.refreshBeanFactory(AbstractRefreshableApplicationContext.java:123)
        at org.springframework.context.support.AbstractApplicationContext.obtainFreshBeanFactory(AbstractApplicationContext.java:423)
        at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:353)
        at org.springframework.web.context.ContextLoader.createWebApplicationContext(ContextLoader.java:255)
        at org.springframework.web.context.ContextLoader.initWebApplicationContext(ContextLoader.java:199)
        at org.springframework.web.context.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:45)
        at org.mortbay.jetty.handler.ContextHandler.startContext(ContextHandler.java:539)
        at org.mortbay.jetty.servlet.Context.startContext(Context.java:135)
        at org.mortbay.jetty.webapp.WebAppContext.startContext(WebAppContext.java:1216)
        at org.mortbay.jetty.handler.ContextHandler.doStart(ContextHandler.java:509)
        at org.mortbay.jetty.webapp.WebAppContext.doStart(WebAppContext.java:447)
        at org.mortbay.jetty.plugin.Jetty6PluginWebAppContext.doStart(Jetty6PluginWebAppContext.java:110)
        at org.mortbay.component.AbstractLifeCycle.start(AbstractLifeCycle.java:40)
        at org.mortbay.jetty.plugin.AbstractJettyRunMojo$1.filesChanged(AbstractJettyRunMojo.java:409)
        at org.mortbay.util.Scanner.reportBulkChanges(Scanner.java:478)
        at org.mortbay.util.Scanner.reportDifferences(Scanner.java:349)
        at org.mortbay.util.Scanner.scan(Scanner.java:276)
        at org.mortbay.util.Scanner$1.run(Scanner.java:236)
        at java.util.TimerThread.mainLoop(Timer.java:512)
        at java.util.TimerThread.run(Timer.java:462)

does anyone have any idea what's causing this, or the correct way to set this up? I haven't seen any examples of this using the namespace syntax, so might it not complete yet?

[Luke Taylor]

What do you mean by "I've modified this to use the new namespace configuration"... the example in the manual is using namespace configuration already. Could you add your context file please (as an attachment, not inline) - it's difficult to work out what's happening with just small snippets of information.

[Benito]

on the manual page it is:

Code:

<bean id="filterChainProxy" class="org.springframework.security.util.FilterChainProxy">
  <sec:filter-chain-map path-type="ant">
     <sec:filter-chain pattern="/webServices/**" 
         filters="httpSessionContextIntegrationFilterWithASCFalse,basicProcessingFilter,exceptionTranslationFilter,filterSecurityInterceptor"/>
     <sec:filter-chain pattern="/**" 
         filters="httpSessionContextIntegrationFilterWithASCTrue,authenticationProcessingFilter,exceptionTranslationFilter,filterSecurityInterceptor"/>
  </sec:filter-chain-map>
</bean>

using a bean declaration, rather than the <filter-chain-map> tag of SS 2's namespace.
the stacktrace seems to indicate that it doesn't recognise this tag, yet it's in the XSD.

I've attached my full security.xml (as .txt file - .xml upload not allowed)

thanks for looking. sorry if I'm being stupid, I'm quite new to Spring.

[Luke Taylor]

Ah, Ok. You can't use filter-chain-map outside of a FilterChainProxy declaration. That is its sole purpose - to provide the configuration for a FilterChainProxy.

The <http> syntax is an alternative to using FilterChainProxy. You wouldn't normally use them in the same configuration. If you want different filter chains for different URLs (as you do here), then you should use a traditional bean configuration (i.e. configure a FilterChainProxy and the filter beans that you want to use).

[Benito]

thanks for the reply.

it's a shame I'll have to get all the filter beans instantiated, I haven't dealt with Acegi, but the amount of XML configuration looks frightening!
Is there anywhere in the documentation with an example of the configuration of a normal set of filters? would the FilterChainProxy bean's id have to be anything in particular, or will it be automatically wired up by class?
And would you recommend sticking with the new security namespace, or just copying a full old acegi configuration, and changing the package name throughout to springframework.security?

but if the <http> tag creates a FilterChainProxy, and instantiates the filters it needs with sensible values, would these filters not be available to name - in order - in the "filters" attribute of the <intercept-url>s?

thanks again

[Luke Taylor]

The "filters" attribute of the filter-chain element lists the filter bean names in order. For example, in what you have above:

"httpSessionContextIntegrationFilterWithASCFalse,b asicProcessingFilter,exceptionTranslationFilter,fi lterSecurityInterceptor"

those are the bean names. In theory you could use the interal bean names from the <http> element, but those are really an internal implementation issue and may not work in future.

It is probably better to keep the two independent - much of the filter configuration will be different anyway (e.g. FilterSecurityInterceptor will protect different URLs).

[JimTonic]

If you want different filter chains for different URLs (as you do here), then you should use a traditional bean configuration (i.e. configure a FilterChainProxy and the filter beans that you want to use).

I think different filterChains for different URLs is quite a common use case.
If I have to use my old acegi FilterChainProxy I can't take advatage of the new namespace configuration ? Or am I wrong ?

Thanks

[JimTonic]

Ok, I think I have figured it out.
Since we hav a lot of customization it is better not to use the <security:http> configuration.

[hanzo]

When I tried the same setup for my application. I got this error :

Caused by: org.springframework.beans.factory.NoSuchBeanDefini tionException: No bean named 'basicProcessingFilter' is defined

My config :

<http auto-config='true'>
<intercept-url pattern='/login.jsp*' filters='none' />
<intercept-url pattern='/**' access='ROLE_USER' />
<form-login login-page='/login.jsp' />
<http-basic/>
</http>


<beans:bean id="filterChainProxy" class="org.springframework.security.util.FilterCha inProxy">
<filter-chain-map path-type="ant">
<filter-chain pattern="/remote/**" filters="basicProcessingFilter" />
</filter-chain-map>
</beans:bean>