Mar 19th, 2010, 10:17 AM
Is it possible to use spring-security without defining the springSecurityFilterChain DelegatingFilterProxy in the web.xml.
What I'd like to be able to do is contain all my configuration in spring configuration files and only include a dispatcher servlet in my web.xml file.
The thinking behind this is that I can have multiple modules in a web application. Each one with a separate dispatcher servlet and corresponding *-servlet.xml file. Each module could then have different security configuration.
In the bigger picture each web module would be a maven war overlay file which would be included in a master war project. In the master war's web.xml I would just need to define a dispatcher servlet for each sub module.
Mar 20th, 2010, 05:13 AM
No... Without the filter there would be no security.... Security needs to be applied before the servlet is called.
Well maybe not a definite no but not with the classes shipped with spring security regarding the web, you would have to write your own integration materials, transform a lot of servlet filters to a HandlerInterceptor, find a new way to react to exceptions etc.
Last edited by Marten Deinum; Mar 20th, 2010 at 05:20 AM.
Mar 21st, 2010, 10:22 AM
I thought as much.
It would be interesting to see if the filters could be adapted to also be interceptors so that you have a choice of web.xml or *-servlet.xml handling of security.
I'm going to do an investigation of this with the filters I use on my application.
For the most part any code in the doFilter before the chain.doFilter(request, response) would be done in a preHandle method and anything after would be in the afterCompletion method.