Configuration for applying https to certain pages

**despot** · Aug 26th, 2010, 10:43 AM

Hi to you all,

I need to configure Spring Security 2.0.5 to demand certain pages to go through https. I don't need any other functionality. I tried several times to configure but I am struggling for few days now, so I would like some tips from more experienced users.

In web.xml I have:

Code:

	<context-param>
		<param-name>contextConfigLocation</param-name>
		<param-value>
			/WEB-INF/applicationContext-security.xml
		</param-value>
	</context-param>
         <filter>
		<filter-name>filterChainProxy</filter-name>
		<filter-class>org.springframework.security.util.FilterChainProxy</filter-class>
	</filter>

	<filter-mapping>
		<filter-name>filterChainProxy</filter-name>
		<url-pattern>/*</url-pattern>
	</filter-mapping>

Than I supply the applicationContext-security.xml:

Code:

<?xml version="1.0" encoding="UTF-8"?>

<beans:beans xmlns="http://www.springframework.org/schema/security"
	xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
                        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.1.xsd">

	<beans:bean id="filterChainProxy"
		class="org.springframework.security.util.FilterChainProxy">
		<filter-chain-map path-type="ant">
			<filter-chain pattern="/**" filters="channelProcessingFilter" />
		</filter-chain-map>
	</beans:bean>

	<beans:bean id="channelProcessingFilter"
		class="org.springframework.security.securechannel.ChannelProcessingFilter">
		<beans:property name="channelDecisionManager" ref="channelDecisionManager" />
		<beans:property name="filterInvocationDefinitionSource">
			<filter-invocation-definition-source
				path-type="regex">
				<intercept-url pattern="/images/baBaaLogoWide.jpg"
					access="REQUIRES_SECURE_CHANNEL" />
				<intercept-url pattern="/url1.htm" access="REQUIRES_SECURE_CHANNEL" />
				<intercept-url pattern="/url2.htm" access="REQUIRES_SECURE_CHANNEL" />
				<intercept-url pattern="/.*" access="ANY_CHANNEL" 
/>
			</filter-invocation-definition-source>
		</beans:property>
	</beans:bean>
	<beans:bean id="channelDecisionManager"
		class="org.springframework.security.securechannel.ChannelDecisionManagerImpl">
		<beans:property name="channelProcessors">
			<beans:list>
				<beans:ref bean="secureChannelProcessor" />
				<beans:ref bean="insecureChannelProcessor" />
			</beans:list>
		</beans:property>
	</beans:bean>
	<beans:bean id="secureChannelProcessor"
		class="org.springframework.security.securechannel.SecureChannelProcessor" />
	<beans:bean id="insecureChannelProcessor"
		class="org.springframework.security.securechannel.InsecureChannelProcessor" />
</beans:beans>

If I specify the filter chain like this:

Code:

         filters="channelProcessingFilter"

than I get a NullPointerException and I guess I miss some required filters in the chain.
If I use:

Code:

        filters="channelProcessingFilter,authenticationProcessingFilter,exceptionTranslationFilter,filterSecurityInterceptor"

than I get

No bean named 'authenticationProcessingFilter' is defined

.

Do I need to define all these filters(beans) to create my functionality or can I do it in a simpler fashion? Am I in the right direction?

Regards,
Despot

**Rob Winch** · Aug 26th, 2010, 11:41 AM

Have you tried using the namespace configuration...it is a lot easier. If you have trouble getting it working for the URLs you like...turn on debug logging and it will tell you what it is or isn't matching on.

**pmularien** · Aug 26th, 2010, 02:37 PM

Do what Rob suggested. If you simply must configure your own beans, there are about 20 or so that are the minimum set. All the filter names there should refer to bean id's, which is why you are seeing that error.

**despot** · Aug 27th, 2010, 07:39 AM

Thank you rwinch and pmularien for replying!

Before opening this thread, I tried several times to solve this problem through namespace configuration. Unfortunately, I was stuck at having to authenticate through the login-form first and I didn't want this behavior. If I omitted the <form-login default-target-url="/home.htm" /> I was receiving an Missing AuthenticationEntryPoint exception. Than I read that I need to customize the FilterChainProxy so I can get additional functionalities. I think this is where I took the wrong path. It is odd that there is no example for the simplest functionalities (I saw the tutorial, contacts and cas examples..) like the one I was trying to implement. I am just mentioning this as an suggestion for improvement, but I have to state that I appreciate the effort input in the Spring Security project.

Luckily, this time I saw the <http-basic> tag and I saw that it has an Default entry point. Together with the <anonymous /> tag and the <intercept-url />, I solved my problems. So for anyone out there who is interested in the solution here is what works for me:

web.xml (security part):

Code:

	<context-param>
		<param-name>contextConfigLocation</param-name>
		<param-value>
			/WEB-INF/applicationContext-security.xml
		</param-value>
	</context-param>

         <filter>
		<filter-name>springSecurityFilterChain</filter-name>
		<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
	</filter>
	<filter-mapping>
		<filter-name>springSecurityFilterChain</filter-name>
		<url-pattern>/*</url-pattern>
	</filter-mapping>

the applicationContext-security.xml:

Code:

<?xml version="1.0" encoding="UTF-8"?>

<beans:beans xmlns="http://www.springframework.org/schema/security"
	xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
                        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.1.xsd">

	<http>
		<intercept-url pattern="/url1.htm"
		access="IS_AUTHENTICATED_ANONYMOUSLY" requires-channel="https" />
		<intercept-url pattern="/url2.htm"
		access="IS_AUTHENTICATED_ANONYMOUSLY" requires-channel="https" />
		<intercept-url pattern="/**"
		access="IS_AUTHENTICATED_ANONYMOUSLY" requires-channel="http" />

		<anonymous />
		<http-basic/>
	</http>
	
	<!-- This bean is optional; it isn't used by any other bean as it only listens and logs -->
    <beans:bean id="loggerListener" class="org.springframework.security.event.authentication.LoggerListener"/>
	
</beans:beans>

See the appendix for more on each tag.

Best Regards,
Despot
P.S.: I have to thank both of you again (rwinch and pmularien) since you are the first ones to reply to a thread that I started. If we cross paths somewhere you have a beer on me

Thread: Configuration for applying https to certain pages

Thread Tools

Display

Configuration for applying https to certain pages

Solved the problem

Tags for this Thread

Posting Permissions