Announcement Announcement Module
Collapse
No announcement yet.
Configuration for applying https to certain pages Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Configuration for applying https to certain pages

    Hi to you all,

    I need to configure Spring Security 2.0.5 to demand certain pages to go through https. I don't need any other functionality. I tried several times to configure but I am struggling for few days now, so I would like some tips from more experienced users.

    In web.xml I have:
    Code:
    	<context-param>
    		<param-name>contextConfigLocation</param-name>
    		<param-value>
    			/WEB-INF/applicationContext-security.xml
    		</param-value>
    	</context-param>
             <filter>
    		<filter-name>filterChainProxy</filter-name>
    		<filter-class>org.springframework.security.util.FilterChainProxy</filter-class>
    	</filter>
    
    	<filter-mapping>
    		<filter-name>filterChainProxy</filter-name>
    		<url-pattern>/*</url-pattern>
    	</filter-mapping>
    Than I supply the applicationContext-security.xml:
    Code:
    <?xml version="1.0" encoding="UTF-8"?>
    
    <beans:beans xmlns="http://www.springframework.org/schema/security"
    	xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    	xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
                            http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.1.xsd">
    
    	<beans:bean id="filterChainProxy"
    		class="org.springframework.security.util.FilterChainProxy">
    		<filter-chain-map path-type="ant">
    			<filter-chain pattern="/**" filters="channelProcessingFilter" />
    		</filter-chain-map>
    	</beans:bean>
    
    	<beans:bean id="channelProcessingFilter"
    		class="org.springframework.security.securechannel.ChannelProcessingFilter">
    		<beans:property name="channelDecisionManager" ref="channelDecisionManager" />
    		<beans:property name="filterInvocationDefinitionSource">
    			<filter-invocation-definition-source
    				path-type="regex">
    				<intercept-url pattern="/images/baBaaLogoWide.jpg"
    					access="REQUIRES_SECURE_CHANNEL" />
    				<intercept-url pattern="/url1.htm" access="REQUIRES_SECURE_CHANNEL" />
    				<intercept-url pattern="/url2.htm" access="REQUIRES_SECURE_CHANNEL" />
    				<intercept-url pattern="/.*" access="ANY_CHANNEL" 
    />
    			</filter-invocation-definition-source>
    		</beans:property>
    	</beans:bean>
    	<beans:bean id="channelDecisionManager"
    		class="org.springframework.security.securechannel.ChannelDecisionManagerImpl">
    		<beans:property name="channelProcessors">
    			<beans:list>
    				<beans:ref bean="secureChannelProcessor" />
    				<beans:ref bean="insecureChannelProcessor" />
    			</beans:list>
    		</beans:property>
    	</beans:bean>
    	<beans:bean id="secureChannelProcessor"
    		class="org.springframework.security.securechannel.SecureChannelProcessor" />
    	<beans:bean id="insecureChannelProcessor"
    		class="org.springframework.security.securechannel.InsecureChannelProcessor" />
    </beans:beans>
    If I specify the filter chain like this:
    Code:
             filters="channelProcessingFilter"
    than I get a NullPointerException and I guess I miss some required filters in the chain.
    If I use:
    Code:
            filters="channelProcessingFilter,authenticationProcessingFilter,exceptionTranslationFilter,filterSecurityInterceptor"
    than I get
    No bean named 'authenticationProcessingFilter' is defined
    .

    Do I need to define all these filters(beans) to create my functionality or can I do it in a simpler fashion? Am I in the right direction?

    Regards,
    Despot

  • #2
    Have you tried using the namespace configuration...it is a lot easier. If you have trouble getting it working for the URLs you like...turn on debug logging and it will tell you what it is or isn't matching on.

    Comment


    • #3
      Do what Rob suggested. If you simply must configure your own beans, there are about 20 or so that are the minimum set. All the filter names there should refer to bean id's, which is why you are seeing that error.

      Comment


      • #4
        Solved the problem

        Thank you rwinch and pmularien for replying!

        Before opening this thread, I tried several times to solve this problem through namespace configuration. Unfortunately, I was stuck at having to authenticate through the login-form first and I didn't want this behavior. If I omitted the <form-login default-target-url="/home.htm" /> I was receiving an Missing AuthenticationEntryPoint exception. Than I read that I need to customize the FilterChainProxy so I can get additional functionalities. I think this is where I took the wrong path. It is odd that there is no example for the simplest functionalities (I saw the tutorial, contacts and cas examples..) like the one I was trying to implement. I am just mentioning this as an suggestion for improvement, but I have to state that I appreciate the effort input in the Spring Security project.

        Luckily, this time I saw the <http-basic> tag and I saw that it has an Default entry point. Together with the <anonymous /> tag and the <intercept-url />, I solved my problems. So for anyone out there who is interested in the solution here is what works for me:

        web.xml (security part):
        Code:
        	<context-param>
        		<param-name>contextConfigLocation</param-name>
        		<param-value>
        			/WEB-INF/applicationContext-security.xml
        		</param-value>
        	</context-param>
        
                 <filter>
        		<filter-name>springSecurityFilterChain</filter-name>
        		<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
        	</filter>
        	<filter-mapping>
        		<filter-name>springSecurityFilterChain</filter-name>
        		<url-pattern>/*</url-pattern>
        	</filter-mapping>
        the applicationContext-security.xml:
        Code:
        <?xml version="1.0" encoding="UTF-8"?>
        
        <beans:beans xmlns="http://www.springframework.org/schema/security"
        	xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        	xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
                                http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.1.xsd">
        
        	<http>
        		<intercept-url pattern="/url1.htm"
        		access="IS_AUTHENTICATED_ANONYMOUSLY" requires-channel="https" />
        		<intercept-url pattern="/url2.htm"
        		access="IS_AUTHENTICATED_ANONYMOUSLY" requires-channel="https" />
        		<intercept-url pattern="/**"
        		access="IS_AUTHENTICATED_ANONYMOUSLY" requires-channel="http" />
        
        		<anonymous />
        		<http-basic/>
        	</http>
        	
        	<!-- This bean is optional; it isn't used by any other bean as it only listens and logs -->
            <beans:bean id="loggerListener" class="org.springframework.security.event.authentication.LoggerListener"/>
        	
        </beans:beans>
        See the appendix for more on each tag.

        Best Regards,
        Despot
        P.S.: I have to thank both of you again (rwinch and pmularien) since you are the first ones to reply to a thread that I started. If we cross paths somewhere you have a beer on me
        Last edited by despot; Aug 27th, 2010, 07:42 AM. Reason: adding an important reference link

        Comment

        Working...
        X