Announcement Announcement Module
Collapse
No announcement yet.
stripQueryStringFromUrls missing from filter-security-metadata-source? Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • stripQueryStringFromUrls missing from filter-security-metadata-source?

    I am using Spring Security to secure an application that has both web pages and web services. I just migrated from Spring Security 2.x to 3.0.5. My configuration allows clients to load wsdl and xsd files using anonymous authentication. After upgrading (and reconfiguring for the new packages, etc.) , this is no longer functioning properly. The way that I am attempting to get this to work is by configuring the FilterChainProxy with "stripQueryFromUrls" as follows:

    <bean id="securityFilter" class="org.springframework.security.web.FilterChai nProxy">
    <property name="stripQueryStringFromUrls" value="false" />
    <security:filter-chain-map path-type="ant">
    <security:filter-chain pattern="/services/*?wsdl"
    filters="httpSessionContextIntegrationFilterWithAS CFalse,
    basicAuthenticationFilter,anonymousAuthenticationF ilter,
    basicExceptionTranslationFilter,
    filterSecurityInterceptor" />
    etc...

    This part works with SpringSecurity 3.0.5. The problem I am having is when I get to the FilterSecurityInterceptor. The default behavior now seems to be that query strings are stripped from URLs, and there doesn't seem to be a way to change this using the security name space. I also tried to define my own DefaultFilterInvocationSecurityMetadataSource in order to set the stripQueryStringFromUrls property manually, but I haven't been able to figure out how to configure it. I have copied part of my configuration below. Does anyone know how I can get this to work?

    <bean id="filterSecurityInterceptor" class="org.springframework.security.web.access.int ercept.FilterSecurityInterceptor">
    <property name="authenticationManager" ref="authenticationManager" />
    <property name="accessDecisionManager" ref="accessDecisionManager" />
    <property name="securityMetadataSource">
    <security:filter-security-metadata-source>
    <security:intercept-url pattern='/services/*?wsdl'
    access='ROLE_ANONYMOUS' />
    etc...

  • #2
    This is happening because the Spring Security namespace does not include the query string for ant based patterns by default. If you switch to http@path-type="regex" it will use them. If you want to use ant style path matching and still use the namespace I would recommend looking at the FAQ as it explains how to configure beans that are created by the namespace schema if the namespace does not support it.

    PS: In the future, please use code tags (i.e. the # button) to make your posts more readable.

    Comment


    • #3
      Thank you! This is exactly what I needed. I will consider the regex path matching. In the meantime, the BeanPostProcessor worked. Here is my solution:

      Code:
      @Override
      public Object postProcessAfterInitialization(Object bean, String beanName)
      			throws BeansException {
      	if (bean instanceof DefaultFilterInvocationSecurityMetadataSource) {
      			log.info("********* Post-processing " + beanName);
      			((DefaultFilterInvocationSecurityMetadataSource) bean)
      					.setStripQueryStringFromUrls(false);
      	}
      	return bean;
      }

      Comment

      Working...
      X