Announcement Announcement Module
Collapse
No announcement yet.
Spring Security and custom filter chain Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Spring Security and custom filter chain

    Dear Spring Security community,

    I'm currently working on a solution, that:
    - tries to retrieve roles for an already authenticated user (via a reverse authentication proxy) from a SAP Netweaver portal web service. Here, a custom Spring enabled filter should be used.
    - limits accepted requests based on an IPv4/IPv6 address (range) to prevent by-passing the reverse authentication proxy. Here, I thought I could take the already existing "org.springframework.security.web.util.IpAddressMa tcher" class

    Currently, Spring offers the opportunity to integrate custom servlet filters into the Spring IOC container via:

    web.xml
    Code:
    ...
    <!-- delegating to a spring-managed bean that implements a "javax.servlet.Filter". Important: the name of the filter has to match the name of the bean that implements the filter. Note that you need only a single declaration in "web.xml" but you can have several filtering beans chained together in your application context. -->
    <filter>
        <filter-name>filterChainProxy</filter-name>
        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
        <init-param>
            <description>Tells the filter to use the servlet container to execute the standard init() and destroy() methods</description>
            <param-name>targetFilterLifecycle</param-name>
            <param-value>true</param-value>
        </init-param>
    </filter>
        
    <filter-mapping>
        <filter-name>filterChainProxy</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>
    
    <!-- The definition of the Root Spring Container shared by all Servlets and
           Filters. This is needed by the ContextLoaderListener. -->
    <context-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>/WEB-INF/spring/root-context.xml</param-value>
    </context-param>
    ...
    Spring IOC.xml
    Code:
    <bean id="filterChainProxy" class="org.springframework.security.web.FilterChainProxy">
        <!-- new notation syntax since Spring 3.1 -->
        <constructor-arg>
            <util:list>
    	<!-- most specific URIs appear first as filter chain is read from top to down. Otherwise, more generic filters would overlay specific ones. By default, they use the ANT path request matcher. -->
                <security:filter-chain pattern="/wcms/**" filters="permissionFilter"/>
                <security:filter-chain pattern="/**" filters="WAMUserFilter,PortalRoleProviderFilter"/>
                <security:filter-chain pattern="/**" filters="*" request-matcher-ref="ipMatcher"/>
                <!-- to omit a request pattern from the security filter chain
                <security:filter-chain pattern="" filters="none" -->
            </util:list>
        </constructor-arg>
    </bean>
    
    <!-- Standard Spring bean that checks IPv4/IPv6 addresses of requests. Alternative solution: using "http" Spring tag in combination with Spring EL expression "hasIpAddress()" -->
    <bean id="ipMatcher" class="org.springframework.security.web.util.IpAddressMatcher">
        <constructor-arg value="127.0.0.1"/>
    </bean>

    I already know: there is an "<http>"-Spring tag available within the Spring security namespace that offers additional Spring EL methods like "hasIpAddress()" within the "intercept-url" tag but I do not know how to integrate my custom filters then. On top, the <http> block always creates a standard set of Spring filters, see: http://static.springsource.org/sprin...namespace.html that I might not necessarily need.

    Starting with Spring 3.1, Spring security offers "request-matcher-ref" attributes for "filter-chain" elements. Details see: http://static.springsource.org/sprin...ter-chain.html.

    What is your opinion? How to solve that ideally?
    Last edited by hking; Apr 5th, 2013, 05:26 AM.
Working...
X