Struggling with Custom Filters

[rrajamiyer]

I keep getting into the same type of error condition any time when I try to use custom filters.

Here is the error message with a custom AuthenticationProcessingFilter:

Caused by: org.springframework.security.config.SecurityConfig urationException: Filters 'MyCustomAuthenticationProcessingFilter[ order=700; ]' and 'org.springframework.security.ui.webapp.Authentica tionProcessingFilter[ order=700; ]' have the same 'order' value. When using custom filters, please make sure the positions do not conflict with default filters. Alternatively you can disable the default filters by removing the corresponding child elements from <http> and avoiding the use of <http auto-config='true'>.

Here is my application-security.xml file.

Code:

<beans:beans xmlns="http://www.springframework.org/schema/security"
    xmlns:beans="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans
                        http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
                        http://www.springframework.org/schema/security
                        http://www.springframework.org/schema/security/spring-security-2.0.1.xsd">

  <http entry-point-ref="authenticationProcessingFilterEntryPoint">
    <intercept-url pattern="/login.jsp" filters="none"/>
    <intercept-url pattern="/expire.html*" filters="none"/>
    <intercept-url pattern="/*.html" access="ROLE_USER" />
    <form-login login-page='/login.jsp' login-processing-url="/j_spring_security_check" default-target-url='/dashboard.htm
l' always-use-default-target='true' authentication-failure-url="/login.jsp?login_error=1"/>
    <concurrent-session-control max-sessions="1" exception-if-maximum-exceeded="true" expired-url="/login.jsp?login_error=
2"/>
  </http>

  <authentication-provider  user-service-ref="myCustomUserDetailsService">
        <password-encoder hash="plaintext"/>
  </authentication-provider>
  <beans:bean id="myCustomUserDetailsService" class="MyCustomUserDetailsService">
     <beans:property name="dataSource" ref="dataSource"/>
  </beans:bean>

        <beans:bean id="authenticationProcessingFilter" class="MyCustomAuthenticationProcessingFilter">
                <custom-filter position="AUTHENTICATION_PROCESSING_FILTER" />
                <beans:property name="defaultTargetUrl" value="/dashboard.html" />
                <beans:property name="authenticationManager" ref="authenticationManager" />
        </beans:bean>
<beans:bean id="authenticationProcessingFilterEntryPoint"       class="org.springframework.security.ui.webapp.AuthenticationProcessingFilterEntryPoint">
                <beans:property name="loginFormUrl" value="/login.jsp" />
                <beans:property name="forceHttps" value="false" />
 </beans:bean>
 <authentication-manager alias="authenticationManager" />
</beans:beans>

I am confused, why it keeps saying that I should avoid using auto-config="true". I am not using that, and my understanding is that auto-config="false" is the default value.

Any help is a`ppreciated.

[Luke Taylor]

It also says "Alternatively you can disable the default filters by removing the corresponding child elements from <http>..."

You are using <form-login> and are adding an extra filter which conflicts with the one created by this element. Either remove the <form-login> element, or use "before" or "after" intead of "position".

You can find more information in the reference manual.

[rrajamiyer]

Thanks for the input.

I can't remove the form-login since I need to use my own login form for authentication. I tried to use both "before" and "after" instead of "position" as suggested by you.

Code:

        <beans:bean id="authenticationProcessingFilter" class="MyCustomAuthenticationProcessingFilter">
                <custom-filter before="AUTHENTICATION_PROCESSING_FILTER" />
                <beans:property name="defaultTargetUrl" value="/dashboard.html" />
                <beans:property name="authenticationManager" ref="authenticationManager" />
        </beans:bean>

If I use "after", my authenticationProcessingFilter NEVER gets invoked (I mean the 'onSuccessfulAuthentication' method).

If I use "before" it is getting invoked, but unable to load the my 'dafaultTargetUrl' which is the dashboard.html page of my application. Here is the error message I see:

May 11, 2009 6:10:40 AM org.springframework.web.servlet.DispatcherServlet noHandlerFound

Code:

WARNING: No mapping found for HTTP request with URI [/myapp/index.html] in DispatcherServlet with name 'myapp'

Without filters, there is no problem in loading the 'defaultTargetUrl'.

[rrajamiyer]

Ok I figured out how to solve this problem. We have to add another property (alwaysUseDefaultTargetUrl = 'true') for the 'defaultTargetUrl' page to load. If you don't use it, it tries to load the "index.html" page. In my application there is no index.html page, and hence, the error message.

Code:

       <beans:bean id="authenticationProcessingFilter" class="MyCustomAuthenticationProcessingFilter">
                <custom-filter before="AUTHENTICATION_PROCESSING_FILTER" />
                <beans:property name="defaultTargetUrl" value="/dashboard.html" />
                <beans:property name="authenticationManager" ref="authenticationManager" />
               <beans:property name="alwaysUseDefaultTargetUrl" value="true"/>
        </beans:bean>

[Luke Taylor]

I can't remove the form-login since I need to use my own login form for authentication. I

Once again, you shouldn't need to do this. If you are using a custom AuthenticationProcessingFilter and entry point, it will just confuse the situation. You are just duplicating the namespace configuration, and part of it will be ignored.

'alwaysuseDefaultRargetUrl' will override the original destination if you were prompted to authenticate during a request for a specific URL. Otherwise you will be redirected to the original URL. In this case, you must have requested "index.html" (or it must be the default welcome page for your webapp).

[rrajamiyer]

You are right. The property 'alwaysuseDefaultTargetUrl' is really not required. It just so happened that, my welcome page was set as "index.html" in the web.xml file which does not exist. I replaced that with login.jsp. Now it works fine. I have now set both 'defaultTargetUrl' and 'authenticationFailureUrl' for my custom 'authenticationProcessingFilter'.

I have to admit that Spring, indeed, is powerful, but needs lots of experiments, and a greater understanding of concepts such as IOC containers and dependency injection before effectively put that to use. I have also noticed that, I can build web applications faster than I used to with Struts. But then, that is my opinion.

It would be nice if 'Spring Security' allowed for a custom "login failure condition" and redirect to a different page. For example, I would like to handle the authentication attempt of a valid user who has not activated his account. This is a special case of login failure. If there is a way to redirect the user to a new page other than 'defaultTargetUrl' and 'authenticationFailureUrl', that would be great. Is there a way to accomplish that with the current version?