Announcement Announcement Module
Collapse
No announcement yet.
FilterChainProxy and Ordered Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • FilterChainProxy and Ordered

    I know that if you use the <http> element in the Security namespace, the resulting FilterChainProxy will honor the configured order of the plugged in Filter(s).

    However, i defined a FilterChainProxy bean, and the resulting execution order is the order in which they are defined.

    Why isn't my FilterChainProxy honoring the order of the filters as the Ordered interface specifies? Here's my filter chain definition:

    Code:
    <bean id="filterChainProxy" 
                class="org.springframework.security.util.FilterChainProxy">
            <security:filter-chain-map path-type="regex" >
                <security:filter-chain pattern="\A/.*"
                    filters="httpSessionContextIntegrationFilter,
                              sessionFixationProtectionFilter,
                              securityConfigurationFilter,
                              logoutFilter,
                              ourSpecialAuthenticationProcessingFilter,
                              anonymousProcessingFilter,
                              exceptionTranslationFilter,
                              filterSecurityInterceptor" />
            </security:filter-chain-map>
        </bean>
    Each one of these filters is either the original filter with some replacement properties (for more fine tuned security) or a filter we defined but which extends from SpringSecurityFilter (and therefore must implement the Ordered interface).

    As you can see, my definition puts the sessionFixationProtectionFilter out of it's proper place. So when i go through the chain, it ends up as being filter 2 of 8, when it should be 6 of 8.

    Can anyone see what i'm doing wrong? Or do I need to post more information?

    Thanks in advance.

    -B

  • #2
    It is intended to work this way when configured explicitly. There is no attempt to change the order from what you have specified, which allows you full control over the filter chain.

    Namespace configuration removes the need to know about such details so enforces a standard ordering.

    Comment


    • #3
      Ok, that's kind of what i was figuring. So my next question is:

      Is there ever going to be a way to override each of the filter definitions and still use the <http> namespacing?

      I think there are a few of the filters i've defined that i don't believe you can reconfigure, or if so, am i not seeing the namespacing?

      -B

      Comment

      Working...
      X