Announcement Announcement Module
No announcement yet.
multiple authentication providers and url rewriting Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • multiple authentication providers and url rewriting

    Hello, can somebody please explain how is it possible to use Spring Security in order to secure RESTful application using

    - api key, provided as part of the URL
    - basic HTTP auth
    - username and encrypted password in request headers

    so for example single REST provider with url like

    can be accessed as

    without the need to explicitly map service to url,containing API key, as well as use URL without API key but secured with HTTP auth/custom headers

    I can think about providing the servlet filter, which may handle URL and put something into ThreadLocal to be picked up later by security provider, but this seems to be not consistent.

    Ideally I would like to provide set of authentication providers, which will handle different authentication scheme and probably rewrite URLs if required.

  • #2
    just refer Spring Security reference doc, it provide what you are looking for. Also its Filter base security,


    • #3
      I created simple filter:

      import org.springframework.web.filter.GenericFilterBean;
      import javax.servlet.*;
      import javax.servlet.http.HttpServletRequest;
      import javax.servlet.http.HttpServletRequestWrapper;
      import java.util.regex.Matcher;
      import java.util.regex.Pattern;
      public class APIKeyFilter extends GenericFilterBean{
          private final Pattern pattern;
          public APIKeyFilter(String urlPattern) {
              pattern = Pattern.compile(urlPattern);
          public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
                  throws IOException, ServletException {
              HttpServletRequest servletRequest = (HttpServletRequest) request;
              final String requestPath = servletRequest.getPathInfo();
              Matcher matcher = pattern.matcher(requestPath);
              if (matcher.find()) {
                  String apiKey =;
                  SecurityContextHolder.getContext().setAuthentication(new APIKey(apiKey));
                  final int end = matcher.end(1);
                  request = new HttpServletRequestWrapper(servletRequest) {
                      public String getPathInfo() {
                          String s = requestPath.substring(end);
                          return s;
      and injected it into Spring configuration:

          <bean name="apiKeyFilter" class="APIKeyFilter">
              <constructor-arg value="^/([^\\/]+)/service/"/>
          <security:http auto-config='true'>
              <security:custom-filter ref="apiKeyFilter" before="BASIC_AUTH_FILTER"/>
              <security:intercept-url pattern="/**/service/**" access="ROLE_CUSTOMER"/>
      At this point filter is called and request is replaced with new one, but later on I am getting 404 error because there is no such URL. What may be wrong here? The url supposed to be replaced with new one (and the one without additional api key is working for sure)


      • #4
        I solved the problem with overriding getRequestURI and getRequestUrl methods. Apache CXF servlet uses those methods in order to resolve URL mappings, so it wasn't Spring issue.