Announcement Announcement Module
Collapse
No announcement yet.
Secure web path & REST services with different method (n00b question) Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Secure web path & REST services with different method (n00b question)

    Hi ppl,

    I'm new to Spring Security and am trying to get the following working:

    1. Secure a URI path with standard form authentication (got this bit)
    2. Secure a URI path with Basic Authentication for RESTful web services.

    Basically I want a standard web request to go through the normal form login process, but calls made to my REST web service should use HTTP Challenge/Response.

    I have followed the basic instructions for minimal setup, and we've got the standard form login process working, but sending an unauthenticated REST request brings back the login page!

    We want to have unauthenticated REST calls just responded with a 401 (or 403?) but no content.

    It appears we may need a more detailed config, but I got a bit lost trying to work out which elements need to go in which spring config to get this to work.

    Our current security config looks like this:

    Code:
        <http auto-config='true' >
        	<intercept-url pattern="/struts" access="ROLE_USER"  />
        	<intercept-url pattern="/rest/**" access="ROLE_USER" />
        	<form-login default-target-url="/struts/secure.home.action" login-page="/struts/home.action"/>
        	<http-basic/>
        	
      	</http>
      	
      	<beans:bean id="authenticationProvider" 
      		class="com.blah.security.AuthenticationProvider">
      		<beans:property name="userDao" ref="userDao"/>
      	</beans:bean>
      	
      	<authentication-provider user-service-ref="authenticationProvider"/>
    Clearly we want the "rest/**" path to be just BASIC authentication.

    Any help appreciated.

    Thanks.

  • #2
    You can't do this with the namespace at the moment. You'll need to configure the filter chain explicitly for the two cases (or for the Basic authentication one).

    Comment


    • #3
      Thanks, I think I'd arrived at the same conclusion and have read the doco at:

      http://static.springsource.org/sprin...e.html#filters

      however I'm a bit unclear on how the definition of the various filters defined in the doco:

      httpSessionContextIntegrationFilterWithASCFalse
      basicProcessingFilter
      exceptionTranslationFilter
      filterSecurityInterceptor

      I have found other references elsewhere with some sample implementations, but the various options/nested beans required still elude me.

      Can you possibly point me in the right direction to find the relevant documentation and/or samples?

      Thanks.

      Comment


      • #4
        The names are bean names for filter beans declared in the context. You might find the 3.0 docs are a bit better:

        http://static.springsource.org/sprin...er-chain-proxy

        The preauth sample uses a traditional bean configuration, so you can possibly use that to get a feel for things:

        https://src.springframework.org/svn/...t-security.xml

        Comment


        • #5
          Great. Thanks for your help. More than enough for me to chew on!

          Comment


          • #6
            Hi again,

            So I've made some progress, but am still stuck. Here's the config I have so far:

            Code:
            <beans xmlns="http://www.springframework.org/schema/beans"
                xmlns:sec="http://www.springframework.org/schema/security"
                xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
                                    http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd">
             
             
            	<bean id="filterChainProxy" class="org.springframework.security.web.FilterChainProxy">
            	  <sec:filter-chain-map path-type="ant">
            	     <sec:filter-chain pattern="/rest/**" filters="
            		   securityContextPersistenceFilterWithASCFalse,
            		   basicAuthenticationFilter,
            		   exceptionTranslationFilter,
            		   filterSecurityInterceptor" />
            	     <sec:filter-chain pattern="/**" filters="
            		   securityContextPersistenceFilterWithASCTrue,
            		   formLoginFilter,
            		   exceptionTranslationFilter,
            		   filterSecurityInterceptor" />
            	  </sec:filter-chain-map>
            	</bean> 
            
            	<bean id="filterSecurityInterceptor"
            		class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor">
            
            	  <property name="authenticationManager" ref="authenticationManager"/>
            	  <property name="accessDecisionManager" ref="accessDecisionManager"/>
            
            	  <property name="securityMetadataSource">
            
            	    <security:filter-security-metadata-source>
            	      <security:intercept-url pattern="/struts/**" access="ROLE_USER"/>
            	      <security:intercept-url pattern="/rest/**" access="ROLE_USER"/>
            	    </security:filter-security-metadata-source>
            
            	  </property>
            
            	</bean>				
            		
            	<sec:authentication-manager alias="authenticationManager">
            		<sec:authentication-provider ref='authenticationProvider'/>
            	</sec:authentication-manager>		
            		
            	<bean id="securityContextPersistenceFilter"
            		class="org.springframework.security.web.context.SecurityContextPersistenceFilter">
            	</bean>		
            
            	<bean id="basicAuthenticationFilter" 
            	  class="org.springframework.security.web.authentication.www.BasicAuthenticationFilter">
            	  <property name="authenticationManager" ref="authenticationManager"/>
            	  <property name="authenticationEntryPoint" ref="basicAuthenticationEntryPoint"/>
            	</bean>
            
            	<bean id="basicAuthenticationEntryPoint"
            	  class="org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint">
            	  <property name="realmName" value="My Realm"/>
            	</bean>		
            
            	<bean id="exceptionTranslationFilter"
            	     class="org.springframework.security.web.access.ExceptionTranslationFilter">
            	  <property name="authenticationEntryPoint" ref="authenticationEntryPoint"/>
            	  <property name="accessDeniedHandler" ref="accessDeniedHandler"/>
            	</bean>		
            
            	<bean id="accessDeniedHandler"
            	     class="org.springframework.security.web.access.AccessDeniedHandlerImpl">
            	  <property name="errorPage" value="/accessDenied.htm"/>
            	</bean>		
            
            	<bean id="authenticationEntryPoint"
            	     class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
            	  <property name="loginFormUrl" value="/struts/home.action"/>
            	</bean>		
            
            
              	<beans:bean id="authenticationProvider" 
              		class="com.blah.security.AuthenticationProvider">
              		<beans:property name="userDao" ref="userDao"/>
              	</beans:bean>    
             
            </beans>
            I haven't bothered trying to to run this as I know it's incomplete, but I have a couple of questions:
            1. The filterSecurityInterceptor bean refers to an authenticationManager and an accessDecisionManager. I have configured the authenticationManager, but am not sure if it's correct. The accessDecisionManager is a mystery though. The doco has org.springframework.security.intercept.web.FilterS ecurityInterceptor for this class, which doesn't seem to exist so I'm assuming it's org.springframework.security.web.access.intercept. FilterSecurityInterceptor. I can't seem to find any reference to what an accessDecisionManager is in the doco, and the javadoc for this class (org.springframework.security.access.AccessDecisio nManager) is a bit unclear as to how it should be configured, or what it does.
            2. The accessDeniedHandler is referenced by the exceptionTranslationFilter, but in the case of my web service I obviously don't want an errorPage.. will this just be ignored? If so, do I even need it in the web service filter chain?
            3. Likewise for the authenticationEntryPoint in exceptionTranslationFilter
            4. I can't seem to find a reference to what a formLoginFilter is, or how it's configured.

            Am I missing some key part of the doco somewhere?

            P.S. I have downloaded latest 3.x RC

            Thanks again for any help you can provide.

            Comment


            • #7
              Looks OK. You can copy the AccessDecisionManager bean from the preauth sample. For typical use (simple role names) you would use:

              Code:
                  <bean id="accessDecisionManager" class="org.springframework.security.access.vote.AffirmativeBased">
                      <property name="allowIfAllAbstainDecisions" value="false"/>
                      <property name="decisionVoters">
                          <list>
                              <bean class="org.springframework.security.access.vote.RoleVoter" />
                          </list>
                      </property>
                  </bean>
              This is usually created internally by the namespace.

              If you omit the error page from the AccessDeniedHandlerImpl it will send a 403 code, which is probably what you want here. Check the Javadoc for more info on that. Likewise for the entry point, you can use a Http403ForbiddenEntryPoint instance.

              Form login is implemented by UsernamePasswordAuthenticationFilter and you would use a LoginUrlAuthenticationEntryPoint for that filter chain.
              Last edited by Luke Taylor; Dec 22nd, 2009, 10:54 AM.

              Comment


              • #8
                great.. thanks!

                Comment


                • #9
                  Hi Luke.. I'm back. Hope you had a good Christmas.

                  I think I'm almost there, but still things aren't working as I want them. I have been able to get my web services bouncing back with a 401, but now I've broken the normal form login.

                  I have been trawling the forums looking for examples, and had to make some "creative" guesses as to how to get things working.

                  I wonder if I could trouble you to have another look at my config (sorry it's so large):

                  Code:
                  <beans xmlns="http://www.springframework.org/schema/beans"
                  	xmlns:security="http://www.springframework.org/schema/security"
                  	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                  	xsi:schemaLocation="http://www.springframework.org/schema/beans 
                  	http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
                  	http://www.springframework.org/schema/security 
                  	http://www.springframework.org/schema/security/spring-security-3.0.xsd">  
                  
                  	<bean id="authenticationProvider" 
                  		class="com.blah.server.security.AuthenticationProvider">
                  		<property name="userDao" ref="userDao"/>
                  	</bean>  				
                  
                  	<security:authentication-manager alias="authenticationManager">
                  		<security:authentication-provider user-service-ref="authenticationProvider"/>
                  	</security:authentication-manager>		
                  
                  	<security:http entry-point-ref="formAuthenticationEntryPoint">
                  		<security:intercept-url pattern="/struts/**" access="ROLE_USER"/>
                  		<security:intercept-url pattern="/rest/**" access="ROLE_USER"/>
                  
                  		<!-- Don't apply any filters to the login form either, we want unauthenticated users to be able to see this --> 
                  		<security:intercept-url pattern="/struts/home.action" filters="none"/> 	      
                  
                  		<security:anonymous /> 
                  		<security:http-basic />
                  	</security:http>
                  
                  	<bean id="springSecurityFilterChain" class="org.springframework.security.web.FilterChainProxy">
                  		<security:filter-chain-map path-type="ant">
                  			<security:filter-chain pattern="/struts/**" filters="
                  				securityContextPersistenceFilterWithASCTrue,
                  				formLoginFilter,
                  				formExceptionTranslationFilter,
                  				filterSecurityInterceptor" />
                  
                  			<security:filter-chain pattern="/rest/**" filters="
                  				securityContextPersistenceFilterWithASCFalse,
                  				basicAuthenticationFilter,
                  				basicExceptionTranslationFilter,
                  				filterSecurityInterceptor" />
                  		</security:filter-chain-map>
                  	</bean> 
                  
                  	<!-- Don't seem to be able to create one without session?? -->
                  	<bean id="securityContextPersistenceFilterWithASCFalse"
                  		class="org.springframework.security.web.context.SecurityContextPersistenceFilter">
                  	</bean>
                  
                  	<bean id="securityContextPersistenceFilterWithASCTrue"
                  		class="org.springframework.security.web.context.SecurityContextPersistenceFilter">
                  	</bean>		
                  
                  	<bean id="formLoginFilter" class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
                  		<property name="authenticationManager" ref="authenticationManager"/>
                  
                  		<property name="authenticationSuccessHandler">
                  			<bean class="org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler">
                  				<property name="defaultTargetUrl" value="/struts/secure.home.action"></property>
                  			</bean>
                  		</property>
                  
                  		<property name="filterProcessesUrl" value="/mrfserver/struts/j_spring_security_check"/>
                  	</bean>  
                  
                  	<bean id="formAuthenticationEntryPoint"
                  		class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
                  		<property name="loginFormUrl" value="/struts/home.action"/>
                  		<property name="forceHttps" value="false"/>
                  	</bean>		
                  
                  	<bean id="formExceptionTranslationFilter"
                  		class="org.springframework.security.web.access.ExceptionTranslationFilter">
                  		<property name="authenticationEntryPoint" ref="formAuthenticationEntryPoint"/>
                  		<property name="accessDeniedHandler" ref="formAccessDeniedHandler"/>
                  	</bean>				
                  
                  	<bean id="formAccessDeniedHandler"
                  		class="org.springframework.security.web.access.AccessDeniedHandlerImpl">
                  		<property name="errorPage" value="/accessDenied.htm"/> 
                  	</bean>		
                  
                  
                  	<bean id="basicAuthenticationFilter" 
                  		class="org.springframework.security.web.authentication.www.BasicAuthenticationFilter">
                  		<property name="authenticationManager" ref="authenticationManager"/>
                  		<property name="authenticationEntryPoint" ref="basicAuthenticationEntryPoint"/>
                  	</bean>	
                  
                  	<bean id="basicAuthenticationEntryPoint"
                  		class="org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint">
                  		<property name="realmName" value="somewhere.com"/>
                  	</bean>		
                  
                  	<bean id="basicExceptionTranslationFilter"
                  		class="org.springframework.security.web.access.ExceptionTranslationFilter">
                  		<property name="authenticationEntryPoint" ref="basicAuthenticationEntryPoint"/>
                  		<property name="accessDeniedHandler" ref="basicAccessDeniedHandler"/>
                  	</bean>				
                  
                  
                  	<bean id="basicAccessDeniedHandler"
                  		class="org.springframework.security.web.access.AccessDeniedHandlerImpl">
                  	</bean>				
                  
                  
                  	<bean id="filterSecurityInterceptor"
                  		class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor">
                  
                  		<property name="authenticationManager" ref="authenticationManager"/>
                  		<property name="accessDecisionManager" ref="accessDecisionManager"/>
                  
                  		<property name="securityMetadataSource">
                  			<security:filter-security-metadata-source>
                  				<security:intercept-url pattern="/struts/**" access="ROLE_USER"/>
                  				<security:intercept-url pattern="/rest/**" access="ROLE_USER"/>
                  			</security:filter-security-metadata-source>
                  		</property>
                  	</bean>		
                  
                  	<bean id="accessDecisionManager" class="org.springframework.security.access.vote.AffirmativeBased">
                  		<property name="allowIfAllAbstainDecisions" value="false"/>
                  		<property name="decisionVoters">
                  			<list>
                  				<bean class="org.springframework.security.access.vote.RoleVoter" />
                  			</list>
                  		</property>
                  	</bean>
                  </beans>
                  So a couple of things:

                  Web services are working fine. Sending BASIC auth creds in the http request comes through to the back-end as expected.

                  Accessing the login form works (located at /struts/home.action), and trying to hit any other URL bumps to login as expected, the problem is that successful login does nothing. The server always just responds with a 302, redirecting back to login page.

                  I haven't bothered to include the login JSP code, as it's basically a copy/paste from samples so nothing special going on there.

                  You will also see from the config that I have thrown a bunch of things in which aren't really covered in the doco (namely the security:http element with the entry-point-ref="formAuthenticationEntryPoint") It seemed I needed this, but I couldn't see this in the doco anywhere for this type of setup.

                  Also I couldn't seem to be able to set SecurityContextPersistenceFilter with allowSessionCreate (ASC) to false.. this class doesn't seem to have this property anymore (?)

                  It would be great if you could let me know if there is anything wrong/missing in the config, and also if there's anything that doesn't need to be there at all.

                  Thanks again for your help.

                  Comment


                  • #10
                    It's difficult to tell without log output. Have you verified that the URL you are submitting the login to is actually causing authentication to take place? It should be the same as the "filterProcessesUrl" value that the UsernamePasswordAuthenticationFilter is configured with. This should be obvious from the debug log as you will see the filter reporting that it is attempting authentication.

                    You should remove the <http> block as it is redundant, and you are overwriting it by using the name "springSecurityFilterChain" for your FilterChainProxy bean.

                    SecurityContextPersistenceFilter has a separate strategy for storing the context. The default is HttpSessionSecurityContextRepository. You'll find the session creation flags on there. For your web services, you could just use a null implementation of SecurityContextRepository, as the context will never be stored in practice.

                    Comment


                    • #11
                      OK I removed the http section and added:

                      Code:
                      <security:filter-chain pattern="/struts/home.action" filters="none"/>
                      as first filter chain..

                      I can confirm that the URL in the form matches the config:

                      Code:
                      <form name="f" action="/mrfserver/struts/j_spring_security_check" >  
                          <input type="text" name="j_username" value="system"/><br>
                          <input type="password"  name="j_password" value="password"/><br>
                          <button type="submit">Login</button><br/>
                      </form>
                      I did find a couple of issues reported in the logs, namely attempts to access style-sheets etc when the login form loaded that weren't in the "public" space, so fixed that too.

                      Now I get to the bit I don't quite understand. If I don't also add the j_spring_security_check URL to the list of "excluded" filters, I get:

                      Code:
                      Authentication exception occurred; redirecting to authentication entry point
                      So I added:

                      Code:
                      <security:filter-chain pattern="/struts/j_spring_security_check" filters="none"/>
                      Which produces a 404 as this is not a path that exists anywhere in my webapp. In the previous implementation (2.0.x) we were using the simpler form of the config:

                      Code:
                          <http auto-config='true' >
                          	<intercept-url pattern="/struts" access="ROLE_USER"  />
                          	<intercept-url pattern="/rest/**" access="ROLE_USER" />
                          	<form-login default-target-url="/struts/secure.home.action" login-page="/struts/home.action"/>
                          	<http-basic/>
                          </http>
                      But the login form has not changed. I'm not sure what this j_spring_security_check URL is, or what Spring is expecting to find there but whatever it is I don't have it.

                      Do I need to create my own login servlet? I somehow thought this was an auto-magic URL that would be handled internally by Spring.

                      Comment


                      • #12
                        j_spring_security_check is the URL that the UsernamePasswordAuthenticationFilter will process as an authentication request. You have set it in your configuration (filterProcessesUrl property), but it can be anything. Don't omit this URL from the filter chain or you will be unable to authenticate and you will get the 404.

                        The debug log will clearly show each request as it passes through the filter chain and you will see whether the login request matches the filterProcessesUrl value.

                        When reporting exceptions and log contents, please do so verbatim, including stacktraces and the debug context around them.

                        Comment


                        • #13
                          OK, with the following config:

                          Code:
                          		<bean id="springSecurityFilterChain" class="org.springframework.security.web.FilterChainProxy">
                          		  <security:filter-chain-map path-type="ant">
                          		  
                          		  	<security:filter-chain pattern="/struts/home.action" filters="none"/>
                          		  	<security:filter-chain pattern="/struts/style/**" filters="none"/>
                          				<security:filter-chain pattern="/struts/js/**" filters="none"/>
                          
                          		     <security:filter-chain pattern="/struts/**" filters="
                          		           securityContextPersistenceFilterWithASCTrue,
                          		           formLoginFilter,
                          		           formExceptionTranslationFilter,
                          		           filterSecurityInterceptor" />
                          		           		  
                          		     <security:filter-chain pattern="/rest/**" filters="
                          		           securityContextPersistenceFilterWithASCFalse,
                          		           basicAuthenticationFilter,
                          		           basicExceptionTranslationFilter,
                          		           filterSecurityInterceptor" />
                          		
                          		  </security:filter-chain-map>
                          I get the "bounce back" to login (attached in log1.txt), caused by auth failure

                          Adding in the filter-chain for /struts/j_spring_security_check:

                          Code:
                          		<bean id="springSecurityFilterChain" class="org.springframework.security.web.FilterChainProxy">
                          		  <security:filter-chain-map path-type="ant">
                          		  
                          		  	<security:filter-chain pattern="/struts/home.action" filters="none"/>
                          		  	<security:filter-chain pattern="/struts/style/**" filters="none"/>
                          				<security:filter-chain pattern="/struts/js/**" filters="none"/>
                          				<security:filter-chain pattern="/struts/j_spring_security_check" filters="none"/>
                          
                          		     <security:filter-chain pattern="/struts/**" filters="
                          		           securityContextPersistenceFilterWithASCTrue,
                          		           formLoginFilter,
                          		           formExceptionTranslationFilter,
                          		           filterSecurityInterceptor" />
                          		           		  
                          		     <security:filter-chain pattern="/rest/**" filters="
                          		           securityContextPersistenceFilterWithASCFalse,
                          		           basicAuthenticationFilter,
                          		           basicExceptionTranslationFilter,
                          		           filterSecurityInterceptor" />
                          		
                          		  </security:filter-chain-map>
                          		</bean>
                          I get a 404: (attached in log2.txt)

                          Comment


                          • #14
                            Er.. sorry...

                            I just worked it out.

                            I had the wrong URL as the filterProcessesUrl, which I had done before but didn't take note of the error, which was:

                            "Authentication method not supported: GET"

                            So obviously I changed the form to POST, and it works.

                            Sorry for wasting your time on this last question and thanks so much for your help!

                            Comment


                            • #15
                              FYI for anyone else reading this:

                              The mistake I had made was (at one point) including the web application context path in the URL for the filterProcessesUrl.

                              My app is setup such that web services site under the "/rest/" context, and "normal" web actions sit under "/struts/" (this will be changing, but it was just to get things working)

                              However the entire application sits under a context in Tomcat, eg:

                              http://localhost:8080/<tomcat context>/struts/blah.action.

                              So my initial config for filterProcessesUrl was

                              Code:
                              <property name="filterProcessesUrl" value="/mrf/struts/j_spring_security_check"/>
                              Where "mrf" is my tomcat context. This should have been:

                              Code:
                              <property name="filterProcessesUrl" value="/struts/j_spring_security_check"/>
                              So the final (working) config looks like this:

                              Code:
                              <?xml version="1.0" encoding="UTF-8"?>
                              
                              <beans xmlns="http://www.springframework.org/schema/beans"
                              	xmlns:security="http://www.springframework.org/schema/security"
                              	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                              	xsi:schemaLocation="http://www.springframework.org/schema/beans 
                              	http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
                              	http://www.springframework.org/schema/security 
                              	http://www.springframework.org/schema/security/spring-security-3.0.xsd">  
                              
                              	<bean id="authenticationProvider" 
                              		class="com.mrf.server.security.AuthenticationProvider">
                              		<property name="userDao" ref="userDao"/>
                              	</bean>  				
                              
                              	<security:authentication-manager alias="authenticationManager">
                              		<security:authentication-provider user-service-ref="authenticationProvider"/>
                              	</security:authentication-manager>		
                              
                              	<bean id="springSecurityFilterChain" class="org.springframework.security.web.FilterChainProxy">
                              		<security:filter-chain-map path-type="ant">
                              
                              			<security:filter-chain pattern="/struts/home.action" filters="none"/>
                              			<security:filter-chain pattern="/struts/style/**" filters="none"/>
                              			<security:filter-chain pattern="/struts/js/**" filters="none"/>
                              
                              			<security:filter-chain pattern="/struts/**" filters="
                              			   securityContextPersistenceFilterWithASCTrue,
                              			   formLoginFilter,
                              			   formExceptionTranslationFilter,
                              			   filterSecurityInterceptor" />
                              
                              			<security:filter-chain pattern="/rest/**" filters="
                              			   securityContextPersistenceFilterWithASCFalse,
                              			   basicAuthenticationFilter,
                              			   basicExceptionTranslationFilter,
                              			   filterSecurityInterceptor" />
                              
                              		</security:filter-chain-map>
                              	</bean> 
                              
                              	<!-- Don't seem to be able to create one without session?? -->
                              	<bean id="securityContextPersistenceFilterWithASCFalse"
                              		class="org.springframework.security.web.context.SecurityContextPersistenceFilter">
                              	</bean>
                              
                              	<bean id="securityContextPersistenceFilterWithASCTrue"
                              		class="org.springframework.security.web.context.SecurityContextPersistenceFilter">
                              	</bean>		
                              
                              	<bean id="formLoginFilter" class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
                              		<property name="authenticationManager" ref="authenticationManager"/>
                              
                              		<property name="authenticationSuccessHandler">
                              			<bean class="org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler">
                              				<property name="defaultTargetUrl" value="/struts/secure.home.action"></property>
                              			</bean>
                              		</property>
                              
                              		<property name="filterProcessesUrl" value="/struts/j_spring_security_check"/>
                              	</bean>  
                              
                              	<bean id="formAuthenticationEntryPoint"
                              		class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
                              		<property name="loginFormUrl" value="/struts/home.action"/>
                              		<property name="forceHttps" value="false"/>
                              	</bean>		
                              
                              	<bean id="formExceptionTranslationFilter"
                              		class="org.springframework.security.web.access.ExceptionTranslationFilter">
                              		<property name="authenticationEntryPoint" ref="formAuthenticationEntryPoint"/>
                              		<property name="accessDeniedHandler" ref="formAccessDeniedHandler"/>
                              	</bean>				
                              
                              	<bean id="formAccessDeniedHandler"
                              		class="org.springframework.security.web.access.AccessDeniedHandlerImpl">
                              		<property name="errorPage" value="/accessDenied.htm"/> 
                              	</bean>		
                              
                              
                              	<bean id="basicAuthenticationFilter" 
                              		class="org.springframework.security.web.authentication.www.BasicAuthenticationFilter">
                              		<property name="authenticationManager" ref="authenticationManager"/>
                              		<property name="authenticationEntryPoint" ref="basicAuthenticationEntryPoint"/>
                              	</bean>	
                              
                              	<bean id="basicAuthenticationEntryPoint"
                              		class="org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint">
                              		<property name="realmName" value="ovadrive.com"/>
                              	</bean>		
                              
                              	<bean id="basicExceptionTranslationFilter"
                              		class="org.springframework.security.web.access.ExceptionTranslationFilter">
                              		<property name="authenticationEntryPoint" ref="basicAuthenticationEntryPoint"/>
                              		<property name="accessDeniedHandler" ref="basicAccessDeniedHandler"/>
                              	</bean>				
                              
                              	<bean id="basicAccessDeniedHandler"
                              		class="org.springframework.security.web.access.AccessDeniedHandlerImpl">
                              	</bean>				
                              
                              	<bean id="filterSecurityInterceptor"
                              		class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor">
                              
                              		<property name="authenticationManager" ref="authenticationManager"/>
                              		<property name="accessDecisionManager" ref="accessDecisionManager"/>
                              
                              		<property name="securityMetadataSource">
                              
                              			<security:filter-security-metadata-source>
                              				<security:intercept-url pattern="/struts/**" access="ROLE_USER"/>
                              				<security:intercept-url pattern="/rest/**" access="ROLE_USER"/>
                              			</security:filter-security-metadata-source>
                              
                              		</property>
                              
                              	</bean>		
                              
                              	<bean id="accessDecisionManager" class="org.springframework.security.access.vote.AffirmativeBased">
                              		<property name="allowIfAllAbstainDecisions" value="false"/>
                              		<property name="decisionVoters">
                              			<list>
                              				<bean class="org.springframework.security.access.vote.RoleVoter" />
                              			</list>
                              		</property>
                              	</bean>
                              </beans>

                              Comment

                              Working...
                              X