Authenticator forwards to wrong URL with UrlRewriteFilter

[mark_m]

I'm using Spring Security 3.0.3 and have started to migrate our web application to a RESTful architecture.

To do this, I changed the dispatcher servlet so that it responds to /app/* requests instead of /*.html requests and then used Tuckey's UrlRewriteFilter to hide the 'app' directory from the user.

Everything is working very nicely, except for Spring's form authentication. After logging in, the user is always forwarded to /app/ instead of /. With the Rewrite filter enabled, this results in a 404 message since it ultimately resolves to /app/app/.

Any help would be very much appreciated. I've searched and experimented for hours, but can't seem to get this functioning correctly.

Here are the filter mappings in my web.xml:

Code:

<!-- Enables clean URLs with JSP views e.g. /welcome instead of /app/welcome -->
    <filter>
        <filter-name>UrlRewriteFilter</filter-name>
        <filter-class>org.tuckey.web.filters.urlrewrite.UrlRewriteFilter</filter-class>
    </filter>
    <filter-mapping>
        <filter-name>UrlRewriteFilter</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>

    <filter>
        <filter-name>httpMethodFilter</filter-name>
        <filter-class>org.springframework.web.filter.HiddenHttpMethodFilter</filter-class>
    </filter>
    <filter-mapping>
        <filter-name>httpMethodFilter</filter-name>
        <servlet-name>dispatcher</servlet-name>
    </filter-mapping>

    <filter>
        <filter-name>springSecurityFilterChain</filter-name>
        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    </filter>
    <filter-mapping>
        <filter-name>springSecurityFilterChain</filter-name>
        <url-pattern>/*</url-pattern>
        <dispatcher>REQUEST</dispatcher>
        <dispatcher>FORWARD</dispatcher>
        <dispatcher>INCLUDE</dispatcher>
        <dispatcher>ERROR</dispatcher>
    </filter-mapping>

    <filter>
        <filter-name>encoding-filter</filter-name>
        <filter-class>org.springframework.web.filter.CharacterEncodingFilter</filter-class>
        <init-param>
            <param-name>encoding</param-name>
            <param-value>UTF-8</param-value>
        </init-param>
    </filter>
    <filter-mapping>
        <filter-name>encoding-filter</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>

    <filter>
        <filter-name>hibernateSessionFilter</filter-name>
        <filter-class>org.springframework.orm.hibernate3.support.OpenSessionInViewFilter</filter-class>
    </filter>
    <filter-mapping>
        <filter-name>hibernateSessionFilter</filter-name>
        <url-pattern>/*</url-pattern>
        <dispatcher>REQUEST</dispatcher>
        <dispatcher>FORWARD</dispatcher>
        <dispatcher>INCLUDE</dispatcher>
        <dispatcher>ERROR</dispatcher>
    </filter-mapping>

Here are my rewrite rules in urlrewrite.xml

Code:

<!-- Access to scripts and styles -->
    <rule>
        <from>/script/**</from>
        <to>/script/$1</to>
    </rule>
    <rule>
        <from>/style/**</from>
        <to>/style/$1</to>
    </rule>
    
    <!-- Spring Security Servlets -->
    <rule>
        <from>/login.jsp</from>
        <to>/login.jsp</to>
    </rule>
    <rule>
        <from>/logout.html</from>
        <to>/logout.html</to>
    </rule>
    <rule>
        <from>/j_spring_security_check**</from>
        <to last="true">/j_spring_security_check$1</to>
    </rule>

    <rule>
        <from>/j_spring_security_logout**</from>
        <to last="true">/j_spring_security_logout$1</to>
    </rule>

    <!-- Spring Dispatcher -->
    <rule>
        <from>/**</from>
        <to>/app/$1</to>
    </rule>
    <outbound-rule>
        <from>/app/**</from>
        <to>/$1</to>
    </outbound-rule>

Here is the Spring Security configuration:

Code:

<security:global-method-security secured-annotations="enabled" />
    
    <security:http auto-config="true">
        <security:intercept-url pattern="/login*" access="IS_AUTHENTICATED_ANONYMOUSLY" />
        <security:intercept-url pattern="/logoutSuccess*" access="IS_AUTHENTICATED_ANONYMOUSLY" />

        <security:intercept-url pattern="/style/login*" access="IS_AUTHENTICATED_ANONYMOUSLY" />
        <security:intercept-url pattern="/style/error.css" access="IS_AUTHENTICATED_ANONYMOUSLY" />
        <security:intercept-url pattern="/style/images/error-icon-large.png" access="IS_AUTHENTICATED_ANONYMOUSLY" />
        <security:intercept-url pattern="/style/images/login*" access="IS_AUTHENTICATED_ANONYMOUSLY" />
        
        <security:intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY" />

        <!-- Override default login and logout pages -->
        <security:form-login login-page="/login.jsp"
                             default-target-url="/"
                             authentication-failure-url="/login.jsp?error=1" />
        <security:logout logout-url="/logout.html" logout-success-url="/" />
    </security:http>

    <security:authentication-manager>
        <security:authentication-provider user-service-ref="defaultUserService">
            <security:password-encoder hash="md5" />
        </security:authentication-provider>
    </security:authentication-manager>

Eventually, I'd like to configure things so that requests for xml marshalled data is authenticated via http basic, but requests for web pages use form authentication, but I'd like to take things one step at a time.

[Rob Winch]

In attempt to be a bit lazy and still help... Have you considered the new method of not using UrlRewriteFilter? The new method has added benefits (i.e. caching resources). See the Spring MVC Showcase for an example. If you are set on using UrlRewriteFilter let me know and I will take a look at it.

HTH,

[mark_m]

Unfortunately I have to use UrlRewriteFilter for the time being (I'll be updating the application to the most recent best practices in due time), so any help with it would be very much appreciated.

[Rob Winch]

Try switching the ordering of the filter-mappings in your web.xml to have UrlRewriteFilter to be after Spring Security.

[mark_m]

Try switching the ordering of the filter-mappings in your web.xml to have UrlRewriteFilter to be after Spring Security.

Worked like a charm! Thanks, rwinch. I feel a little silly for not having tried that earlier because it makes perfect sense, but to my credit the Spring Security documentation explicitly says to include its filter first.

Thanks again!

[Rob Winch]

Glad that worked. I did not realize the SS documentation even referenced the UrlRewriteFilter. Can you please point me to that documentation?

PS: I think this it is a bit of a preference which ordering you place the filter, but I like placing the SS first. This makes it easier as you are securing the URLs that the user sees and not the URLs that the rewrite filter is attempting to use. Additionally, the SS Filter does not need to process forwards with the SS filter first.

[mark_m]

I did not realize the SS documentation even referenced the UrlRewriteFilter. Can you please point me to that documentation?

It doesn't reference UrlRewriteFilter specifically. It just says that the SS filter should be the first in web.xml before all others.

[Rob Winch]

Sorry I misread, I thought that you were saying the doc stated the UrlRewriteFilter should be first. I was going to try and get things corrected, I guess it is already ok.