Announcement Announcement Module
Collapse
No announcement yet.
Problem with filters="none" and requires-channel="https" Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Problem with filters="none" and requires-channel="https"

    Hi,

    I'm finding it hard to understand why this configuration snippet is no longer acceptable in Spring 3.0.x:

    Code:
    <security:intercept-url pattern="/path_to_login_controller_url*" filters="none" requires-channel="https"/>
    This will cause the following if-statement in org.springframework.security.config.http.HttpConfi gurationBuilder to be true:

    Code:
                    if (OPT_FILTERS_NONE.equals(filters)) {
                        pc.getReaderContext().error(
                                "Ambiguous configuration. Cannot contain " + INTERCEPT_URL+"@" + ATT_FILTERS +
                                "=\"" + OPT_FILTERS_NONE + "\" and " + INTERCEPT_URL + "@" + ATT_REQUIRES_CHANNEL,
                                pc.extractSource(urlElt));
                    }
    To me, there is nothing ambiguous in the XML above: I want no security filters on that URL, but I want it to only be available on HTTPS. I can't see any other way of having a URL mapped to a Controller in
    Code:
    <security:form-login login-page="/path_to_login_controller_url" />
    without removing security on it AND specifying the requires-channel="https". Without the filters="none" Spring will enter a 'redirection loop', because users are not allowed to see /path_to_login_controller_url without being logged in, so they are redirected to /path_to_login_controller_url to log in, but not being allowed to see it they are redirected again and again... and without the requires-channel="https" users can access the URL on HTTP and transmit their credentials in an insecure way.

    This used to work just fine in previous releases. Could someone shed some light on the reasons behind the if-statement above?

    Thanks

  • #2
    I don't know the answer but I would like to add a "me too" to the request.

    The snippet silvio posted, I also tried and I saw the same looping result . Very disappointing as the snippet is very clear about what is needed/wanted. .

    Comment


    • #3
      Its ambiguous because filters=none means do not use the Spring Security Filters, but requires-channel="https" means to use Spring Security Filters to ensure that the configuration is https. If you want to allow access to every user use access="permitAll" instead of filters="none".

      Comment


      • #4
        Problem with filters=&quot;none&quot; and requires-channel=&quot;https&quot;

        Hi:
        I am facing an error when I use filters="none" and requires-channel="https" for login page.
        I am securing my resources using defined roles.

        It is working fine when I access the resources using localhost on https, if I am not logged in it is re directing to the login page and on successful login it is displaying the secured resource.

        But when I access the same secured resource using the domain name on https, I am getting an error as "Error 310 (net::ERR_TOO_MANY_REDIRECTS): There were too many redirects."

        When I tried with permitAll expression getting an error as "Unsupported configuration attributes: [permitAll]".

        Please help me in resolving this error.



        Regards
        Sreedhar


        Originally posted by Rob Winch View Post
        Its ambiguous because filters=none means do not use the Spring Security Filters, but requires-channel="https" means to use Spring Security Filters to ensure that the configuration is https. If you want to allow access to every user use access="permitAll" instead of filters="none".

        Comment

        Working...
        X