Announcement Announcement Module
No announcement yet.
stripQueryStringFromUrls missing from filter-security-metadata-source? Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • stripQueryStringFromUrls missing from filter-security-metadata-source?

    I am using Spring Security to secure an application that has both web pages and web services. I just migrated from Spring Security 2.x to 3.0.5. My configuration allows clients to load wsdl and xsd files using anonymous authentication. After upgrading (and reconfiguring for the new packages, etc.) , this is no longer functioning properly. The way that I am attempting to get this to work is by configuring the FilterChainProxy with "stripQueryFromUrls" as follows:

    <bean id="securityFilter" class=" nProxy">
    <property name="stripQueryStringFromUrls" value="false" />
    <security:filter-chain-map path-type="ant">
    <security:filter-chain pattern="/services/*?wsdl"
    filters="httpSessionContextIntegrationFilterWithAS CFalse,
    basicAuthenticationFilter,anonymousAuthenticationF ilter,
    filterSecurityInterceptor" />

    This part works with SpringSecurity 3.0.5. The problem I am having is when I get to the FilterSecurityInterceptor. The default behavior now seems to be that query strings are stripped from URLs, and there doesn't seem to be a way to change this using the security name space. I also tried to define my own DefaultFilterInvocationSecurityMetadataSource in order to set the stripQueryStringFromUrls property manually, but I haven't been able to figure out how to configure it. I have copied part of my configuration below. Does anyone know how I can get this to work?

    <bean id="filterSecurityInterceptor" class=" ercept.FilterSecurityInterceptor">
    <property name="authenticationManager" ref="authenticationManager" />
    <property name="accessDecisionManager" ref="accessDecisionManager" />
    <property name="securityMetadataSource">
    <security:intercept-url pattern='/services/*?wsdl'
    access='ROLE_ANONYMOUS' />

  • #2
    This is happening because the Spring Security namespace does not include the query string for ant based patterns by default. If you switch to [email protected]="regex" it will use them. If you want to use ant style path matching and still use the namespace I would recommend looking at the FAQ as it explains how to configure beans that are created by the namespace schema if the namespace does not support it.

    PS: In the future, please use code tags (i.e. the # button) to make your posts more readable.


    • #3
      Thank you! This is exactly what I needed. I will consider the regex path matching. In the meantime, the BeanPostProcessor worked. Here is my solution:

      public Object postProcessAfterInitialization(Object bean, String beanName)
      			throws BeansException {
      	if (bean instanceof DefaultFilterInvocationSecurityMetadataSource) {"********* Post-processing " + beanName);
      			((DefaultFilterInvocationSecurityMetadataSource) bean)
      	return bean;