Announcement Announcement Module
Collapse
No announcement yet.
Bean based configuration and filters="none" Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Bean based configuration and filters="none"

    Hello All-
    I recently switched from <http auto-config='true'...> to bean based configuration.

    Background:
    I have a pre-auth scenario (Apache + Shibboleth)

    All the css, js and images are under /resources

    I would like to use filters="none" for /resources (as I used to when using <http>), however it results in:
    Code:
    Bean 'fsi'; nested exception is org.springframework.beans.factory.parsing.BeanDefinitionParsingException: Configuration problem: The attribute 'filters' isn't allowed here.
    Code:
    <bean id="fsi"
    		class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor">
    		<property name="authenticationManager" ref="authenticationManager" />
    		<property name="accessDecisionManager" ref="httpRequestAccessDecisionManager" />
    		<property name="securityMetadataSource">
    			<security:filter-security-metadata-source
    				use-expressions="true">
    				<security:intercept-url pattern="/resources/**"
    					filters="none" />
    				<security:intercept-url pattern="/login*"
    					access="permitAll" />
    				<security:intercept-url pattern="/logout*"
    					access="permitAll" />
    				<security:intercept-url pattern="/newlogin"
    					access="hasRole('ROLE_USER')" />
    				<security:intercept-url pattern="/**"
    					access="hasRole('ROLE_USER')" />
    			</security:filter-security-metadata-source>
    		</property>
    	</bean>
    I do have WebExpressionVoter defined:

    Code:
    <bean id="httpRequestAccessDecisionManager"
    		class="org.springframework.security.access.vote.AffirmativeBased">
    		<property name="allowIfAllAbstainDecisions" value="false" />
    		<property name="decisionVoters">
    			<list>
    				<ref bean="roleVoter" />
    				<ref bean="webExpVoter" />
    			</list>
    		</property>
    	</bean>
    
    <bean id="webExpVoter"
    		class="org.springframework.security.web.access.expression.WebExpressionVoter" />
    Is it not possible in bean based configurations?
    Any help will be highly appreciated.
    Thanks.

  • #2
    The version for spring security matters with regards to your question. For more recent versions, you should change "filters="none"" to "access="permitAll""

    Comment


    • #3
      I'm using Spring Security 3.0.5.

      I was under the impression
      Code:
      filters="none"
      is a bit more efficient (especially for static resources, such as css & js) than
      Code:
      access="permitAll"
      as the former completely circumvents authorization as opposed to the latter where authorization still happens with a true for all.

      Is this not correct?

      Comment


      • #4
        You are confusing configuration of the FilterSecurityInterceptor with the FilterChainProxy. The latter maintains the filter chains which requests are mapped to - you should configure an empty filter chain for the pattern you wish to have omitted from Spring Security's handling.

        Using filters="none" within the FilterSecurityInterceptor configuration does not make any sense, as it is a single filter within the security filter chain.

        Comment


        • #5
          Changed the filterChain to
          Code:
          <beans:bean id="springSecurityFilterChain"
          		class="org.springframework.security.web.FilterChainProxy">
          		<filter-chain-map path-type="ant">
          			<filter-chain pattern="/resources/**" filters="none" />
          			<filter-chain pattern="/**"
          				filters="sif,shibbolethFilter,logoutFilter,etf,fsi" />
          
          		</filter-chain-map>
          	</beans:bean>
          Thanks a lot for explaining.

          Comment

          Working...
          X