Spring security 3 and Url Rewrite

**eggsy84** · Jan 4th, 2010, 11:01 AM

Hi all,

I'm looking to secure my basic application with Spring security 3 however because I am using a Urlrewrite filter (required for RESTful urls) I cannot get the security to invoke.

My web.xml looks like:

Code:

<?xml version="1.0" encoding="UTF-8"?>
<web-app id="WebApp_ID" version="2.4" 
	  xmlns="http://java.sun.com/xml/ns/j2ee" 
	  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
	  xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
	  
	  
	<display-name>MyApp</display-name>
	
	<filter>
  		<filter-name>springSecurityFilterChain</filter-name>
  		<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
	</filter>
  
	<filter-mapping>
  		<filter-name>springSecurityFilterChain</filter-name>
  		<url-pattern>/*</url-pattern>
	</filter-mapping>
	
	<!-- Enables clean URLs with JSP views e.g. /welcome instead of /app/welcome -->
	<filter>
		<filter-name>UrlRewriteFilter</filter-name>
		<filter-class>org.tuckey.web.filters.urlrewrite.UrlRewriteFilter</filter-class>
	</filter>

	<filter-mapping>
		<filter-name>UrlRewriteFilter</filter-name>
		<url-pattern>/*</url-pattern>
	</filter-mapping>   
	
	
	<servlet>
		<servlet-name>MyApp</servlet-name>
        <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
    	<load-on-startup>1</load-on-startup>
	</servlet>
 
	<servlet-mapping>
    	<servlet-name>MyApp</servlet-name>
    	<url-pattern>/app/*</url-pattern>
	</servlet-mapping>
	
	<listener>
		<listener-class>org.springframework.web.util.Log4jConfigListener</listener-class>
	</listener>
	<context-param>
		<param-name>log4jConfigLocation</param-name>
		<param-value>classpath:log4j.properties</param-value>
	</context-param>
	
	<listener>
		<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
	</listener>
	<context-param>
		<param-name>contextConfigLocation</param-name>
		<param-value>
			classpath:applicationContext.xml
			classpath:applicationContext-security.xml
		</param-value>
	</context-param>
	
	
	
	
	<welcome-file-list>
		<welcome-file>index.jsp</welcome-file>
	</welcome-file-list>
</web-app>

Then I have used the following rewrite XML:

Code:

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE urlrewrite PUBLIC "-//tuckey.org//DTD UrlRewrite 3.0//EN" "http://tuckey.org/res/dtds/urlrewrite3.0.dtd">
<urlrewrite default-match-type="wildcard">
	<rule>
		<from>/**</from>
		<to>/app/$1</to>
	</rule>
	<outbound-rule>
		<from>/app/**</from>
		<to>/$1</to>
	</outbound-rule>
</urlrewrite>

And for the simple example I have used the following spring security beans:

Code:

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
  			 xmlns:beans="http://www.springframework.org/schema/beans"
  			 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  			 xsi:schemaLocation="http://www.springframework.org/schema/beans 
           						 http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
           						 http://www.springframework.org/schema/security 
           						 http://www.springframework.org/schema/security/spring-security-3.0.xsd">
           						 
	<http auto-config='true'>
		
		<intercept-url pattern="/secure/**" access="ROLE_USER"/>
		<intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
		<form-login/>
		<logout/>
		<remember-me/>
  	</http>
  	
  	<authentication-manager>
		<authentication-provider>
      		<user-service>
        		<user name="jimi" password="jimispassword" authorities="ROLE_USER, ROLE_ADMIN" />
        		<user name="bob" password="bobspassword" authorities="ROLE_USER" />
      		</user-service>
    	</authentication-provider>
  </authentication-manager>
  	
    
</beans:beans>

So as you can see I'm trying to secure any URL's matching /secure/(anything) but if I use the UrlRewrite filter the security doesn't invoke. However if I turn the filter off the security works fine?

Can anyone help shine a light on my misunderstanding??

Many thanks

eggsy

**eggsy84** · Jan 4th, 2010, 01:28 PM

Hi all

Just to let people know I have solved my incorrect setup.

My security-context.xml intercept url should have read:

Code:

<http auto-config='true'>
		
		<intercept-url pattern="/secure/**" access="ROLE_USER"/>
		<intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
  	</http>

Many thanks to anyone that read the post

**eggsy84** · Jan 4th, 2010, 01:34 PM

Also I had linked the secure page incorrectly!

**asheikh** · Jan 13th, 2010, 03:51 PM

eggsy84,

Not sure what you have solved here... you have just removed the following lines if I am not missing something. Please tell me how you have solved this, I have same issue.

http://forum.springsource.org/showth...t=81035&page=2

Code:

<form-login/>
		<logout/>
		<remember-me/>

thanks

**eggsy84** · Jan 14th, 2010, 03:17 AM

Hi there,

Unfortunately since writing that post I have had to further update my Spring security setup so that it allows to forms of authentication.

Form based and Basic Http based for RESTful requests. For more info on this please see:

http://forum.springsource.org/showth...stful+security

**asheikh** · Jan 14th, 2010, 03:55 AM

hi,

thanks, and I have solved the issue and it had to to with the way I have configured the filters(security, urlrewriter)

http://forum.springsource.org/showth...t=81035&page=3

Asad

Thanks

**digz6666** · Jul 5th, 2010, 11:16 AM

Hello there!

Could someone please post demo app?

I can't get it working

Tried for 5-6 hours.

**hallisson** · Jul 10th, 2010, 09:30 AM

In section 7.4 of the spring security documentation (7.4 Use with other Filter-Based Frameworks):

"...If you're using some other framework that is also filter-based, then you need to make sure that the Spring Security filters come first..."

Example:

Code:

<?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee"
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">


	<context-param>
		<param-name>contextConfigLocation</param-name>
		<param-value>/WEB-INF/spring/*.xml </param-value>
	</context-param>

	<filter>
		<filter-name>springSecurityFilterChain</filter-name>
		<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
	</filter>
	<filter-mapping>
		<filter-name>springSecurityFilterChain</filter-name>
		<url-pattern>/*</url-pattern>
	</filter-mapping>

	<!--
		Enables clean URLs with JSP views e.g. /welcome instead of
		/app/welcome
	-->
	<filter>
		<filter-name>UrlRewriteFilter</filter-name>
		<filter-class>org.tuckey.web.filters.urlrewrite.UrlRewriteFilter</filter-class>
	</filter>

	<filter-mapping>
		<filter-name>UrlRewriteFilter</filter-name>
		<url-pattern>/*</url-pattern>
	</filter-mapping>


	<!-- Handles all requests into the application -->
	<servlet>
		<servlet-name>Spring MVC Dispatcher Servlet</servlet-name>
		<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>

		<init-param>
			<param-name>contextConfigLocation</param-name>
			<param-value> /WEB-INF/spring/*.xml </param-value>
		</init-param>

		<load-on-startup>1</load-on-startup>
	</servlet>


	<!-- Maps all /app requests to the DispatcherServlet for handling -->
	<servlet-mapping>
		<servlet-name>Spring MVC Dispatcher Servlet</servlet-name>
		<url-pattern>/app/*</url-pattern>
	</servlet-mapping>


	<!--
		- Publishes events for session creation and destruction through the
		application - context. Optional unless concurrent session control is
		being used.
	-->

	<listener>
		<listener-class>org.springframework.security.web.session.HttpSessionEventPublisher</listener-class>
	</listener>


	<!--
		- Loads the root application context of this web app at startup. - The
		application context is then available via -
		WebApplicationContextUtils.getWebApplicationContext(servletContext).
	-->

	<listener>
		<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
	</listener>


</web-app>

**buginside** · Jul 12th, 2010, 08:20 AM

I have similar problem, spring security seems not working if i put the filter
after UrlRewriteFilter.
My console log:

[...]
[INFO,DefaultAnnotationHandlerMapping] Mapped URL path [/centrali/getByIdbre/]
[INFO,SimpleUrlHandlerMapping] Mapped URL path [/Menu] onto handler [org.springframework.web.servlet.mvc.Parameterizabl eViewController@1c220eb]
[...]
[INFO,SimpleUrlHandlerMapping] Root mapping to handler [org.springframework.web.servlet.mvc.Parameterizabl eViewController@1ff5c98]
[INFO,MethodSecurityInterceptor] Validated configuration attributes
[DEBUG,ExpressionBasedFilterInvocationSecurityMetad ataSource] Adding web access control expression 'permitAll', for [/]
[DEBUG,ExpressionBasedFilterInvocationSecurityMetad ataSource] Adding web access control expression 'ROLE_USER', for [/**]
[DEBUG,ExpressionBasedFilterInvocationSecurityMetad ataSource] Added URL pattern: /; attributes: [permitAll]
[DEBUG,ExpressionBasedFilterInvocationSecurityMetad ataSource] Added URL pattern: /**; attributes: [ROLE_USER]

if i point the browser at
http://localhost:8080/ProvisioningWe...ali/getByIdbre
or http://localhost:8080/ProvisioningWebInterface2/Menu
i get the page but no login screen is prompted...

if i move up the filter as hallisson suggest and point the browser to the same pages i have an exception and cant see the page:

Code:

GRAVE: Servlet.service() for servlet default threw exception
java.lang.IllegalStateException: No WebApplicationContext found: no ContextLoaderListener registered?
	at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:159)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
	at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:852)
	at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
	at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
	at java.lang.Thread.run(Unknown Source)

my web.xml:

Code:

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" version="2.5">
	
<context-param>
        <param-name>log4jConfigLocation</param-name>
        <param-value>/WEB-INF/log4j.properties</param-value>
</context-param>

<filter>
    <filter-name>characterEncodingFilter</filter-name>
    <filter-class>org.springframework.web.filter.CharacterEncodingFilter</filter-class>
    <init-param>
      <param-name>encoding</param-name>
      <param-value>UTF-8</param-value>
    </init-param>
    <init-param>
      <param-name>forceEncoding</param-name>
      <param-value>true</param-value>
    </init-param>
</filter>
<filter-mapping>
    <filter-name>characterEncodingFilter</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>


<filter>
    <filter-name>UrlRewriteFilter</filter-name>
    <filter-class>org.tuckey.web.filters.urlrewrite.UrlRewriteFilter</filter-class>
</filter>
<filter-mapping>
    <filter-name>UrlRewriteFilter</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

<filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

 <servlet>
    <servlet-name>Spring MVC Dispatcher Servlet</servlet-name>
    <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
    <init-param>
      <param-name>contextConfigLocation</param-name>
      <param-value>
      		/WEB-INF/spring/app-config.xml
      		/WEB-INF/applicationContext-security.xml
      </param-value>
    </init-param>
    <load-on-startup>1</load-on-startup>
  </servlet>
  <servlet-mapping>
    <servlet-name>Spring MVC Dispatcher Servlet</servlet-name>
    <url-pattern>/app/*</url-pattern>
  </servlet-mapping>

<listener>
        <listener-class>org.springframework.web.util.Log4jConfigListener</listener-class>
</listener>


</web-app>

my app-config

Code:

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xmlns:context="http://www.springframework.org/schema/context"
	xmlns:aop="http://www.springframework.org/schema/aop"
	xmlns:p="http://www.springframework.org/schema/p"
	xsi:schemaLocation="
		http://www.springframework.org/schema/beans	http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
		http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.0.xsd">

	<!-- Scans the classpath of this application for @Components to deploy as beans -->
	<context:component-scan base-package="provisioningWebInterface2" />

	<!-- Application Message Bundle -->
	<bean id="messageSource" class="org.springframework.context.support.ReloadableResourceBundleMessageSource">
		<property name="basename" value="/WEB-INF/messages/messages" />
		<property name="cacheSeconds" value="0" />
	</bean>

	<bean id="propertyPlaceholderConfigurer" class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer">
  		<property name="locations">
    		<list>
      			<value>/WEB-INF/app.properties</value>
    		</list>
  		</property>
	</bean>

	<bean id="costanti" class="utils.Costanti">
		<property name="APPLICATION" value="${application}"/>
		<property name="CARTELLA_UPLOAD" value="${file_upload_dir}"/>
		<property name="SERVER_URI" value="${server_uri}"/>		
	</bean>

	<!-- Configures Spring MVC -->
	<import resource="mvc-config.xml" />
	
	<!-- Configures Spring DATASOURCES -->
	<import resource="dataSources-config.xml" />
	
	<import resource="dao.xml" />
</beans>

app-security.xml

Code:

<?xml version="1.0" encoding="UTF-8"?>

<!--
  - Sample namespace-based configuration
  -
  -->

<beans:beans xmlns="http://www.springframework.org/schema/security"
    xmlns:beans="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
                        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd">

    <global-method-security pre-post-annotations="enabled">
        <!-- AspectJ pointcut expression that locates our "post" method and applies security that way
        <protect-pointcut expression="execution(* bigbank.*Service.post*(..))" access="ROLE_TELLER"/>
        -->
    </global-method-security>

        
   <http use-expressions="true">
        <intercept-url pattern="/" access="permitAll"/>
        <intercept-url pattern="/**" access="ROLE_USER" />
        <form-login />
        <logout />
    </http>


    <!--
    Usernames/Passwords are
        rod/koala
        dianne/emu
        scott/wombat
        peter/opal
    -->
    <authentication-manager>
        <authentication-provider>
            <password-encoder hash="md5"/>
            <user-service>
                <user name="rod" password="a564de63c2d0da68cf47586ee05984d7" authorities="ROLE_SUPERVISOR, ROLE_USER, ROLE_TELLER" />
                <user name="dianne" password="65d15fe9156f9c4bbffd98085992a44e" authorities="ROLE_USER,ROLE_TELLER" />
                <user name="scott" password="2b58af6dddbd072ed27ffc86725d7d3a" authorities="ROLE_USER" />
                <user name="peter" password="22b5c9accc6e1ba628cedc63a72d57f8" authorities="ROLE_USER" />
            </user-service>
        </authentication-provider>
    </authentication-manager>

</beans:beans>

Any hint will be appreciate, thanks in advance

**buginside** · Jul 12th, 2010, 08:43 AM

in the console i have also this infos:

Code:

[INFO,XmlWebApplicationContext] Bean 'org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler#0' is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
[INFO,XmlWebApplicationContext] Bean '(inner bean)' is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
[INFO,XmlWebApplicationContext] Bean '(inner bean)' is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
[INFO,XmlWebApplicationContext] Bean 'org.springframework.security.access.method.DelegatingMethodSecurityMetadataSource#0' is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
[INFO,XmlWebApplicationContext] Bean 'org.springframework.security.methodSecurityMetadataSourceAdvisor' is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)

Thread: Spring security 3 and Url Rewrite

Thread Tools

Display

Spring security 3 and Url Rewrite

Solved

Furthermore

Setup

Try to change the filter´s position

Tags for this Thread

Posting Permissions