Announcement Announcement Module
Collapse
No announcement yet.
Error: "IllegalArgumentException: A universal match pattern ('/**') is defined..." Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Error: "IllegalArgumentException: A universal match pattern ('/**') is defined..."

    Hi Everyone,

    I am seeing an issue with my configuration. It is causing a Spring Security error:

    Code:
    Caused by: java.lang.IllegalArgumentException: A universal match pattern ('/**') is defined  before other patterns in the filter chain, causing them to be ignored. Please check the ordering in your <s
    ecurity:http> namespace or FilterChainProxy bean configuration
            at org.springframework.security.config.http.DefaultFilterChainValidator.checkPathOrder(DefaultFilterChainValidator.java:49)
            at org.springframework.security.config.http.DefaultFilterChainValidator.validate(DefaultFilterChainValidator.java:39)
            at org.springframework.security.web.FilterChainProxy.afterPropertiesSet(FilterChainProxy.java:148)

    I am using Spring Framework 3.0.6.RELEASE, plus the following Spring Security libraries:

    Code:
    spring-security-config-3.1.0.RELEASE.jar
    spring-security-core-3.1.0.RELEASE.jar
    spring-security-crypto-3.1.0.RELEASE.jar
    spring-security-oauth-1.0.0.M5.jar
    spring-security-oauth2-1.0.0.M5.jar
    spring-security-web-3.1.0.RELEASE.jar
    My OAuth2 security configuration is below. Most of which were copied out of the Sparklr sample app:

    Code:
    <?xml version="1.0" encoding="UTF-8" standalone="no"?>
    <beans xmlns="http://www.springframework.org/schema/beans"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
        xmlns:security="http://www.springframework.org/schema/security"
        xmlns:p="http://www.springframework.org/schema/p"
        xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2 http://www.springframework.org/schema/security/spring-security-oauth2-1.0.xsd
        	http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd
        	http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd">
    
    	<oauth:authorization-server client-details-service-ref="storews.clientDetailsService" token-services-ref="storews.tokenServices">
    		<oauth:authorization-code />
    		<oauth:implicit disabled="true" />
    		<oauth:refresh-token disabled="true" />
    		<oauth:client-credentials disabled="true" />
    		<oauth:password disabled="true" />
    	</oauth:authorization-server>
    
    <!-- AUTH ENDPOINT -->
    	<http access-denied-page="/oauth/login.jsp" access-decision-manager-ref="storews.accessDecisionManager" xmlns="http://www.springframework.org/schema/security">
    		<!-- This needs to be anonymous so that the auth endpoint can handle oauth errors itself -->
    		<intercept-url pattern="/oauth/authorize" access="IS_AUTHENTICATED_ANONYMOUSLY" />
    		<intercept-url pattern="/oauth/**" access="ROLE_USER" />
    		<intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY,DENY_OAUTH" />
    
    		<form-login authentication-failure-url="/oauth/login.jsp" default-target-url="/index.jsp" login-page="/oauth/login.jsp"
    			login-processing-url="/login.do" />
    		<logout logout-success-url="/index.jsp" logout-url="/logout.do" />
    		<anonymous />
    		<custom-filter ref="storews.resourceServerFilter" before="EXCEPTION_TRANSLATION_FILTER" />
    	</http>
     
    	<oauth:resource-server id="storews.resourceServerFilter" token-services-ref="storews.tokenServices" />
    	
    	<bean id="storews.accessDecisionManager" class="org.springframework.security.access.vote.UnanimousBased">
    		<constructor-arg>
    			<list>
    				<bean class="org.springframework.security.oauth2.provider.vote.ScopeVoter" />
    				<bean class="org.springframework.security.access.vote.RoleVoter" />
    				<bean class="org.springframework.security.access.vote.AuthenticatedVoter" />
    			</list>
    		</constructor-arg>
    	</bean>
    
    	<!-- Token Endpoint -->
    	<http create-session="never" xmlns="http://www.springframework.org/schema/security"
    	      authentication-manager-ref="storews.clientAuthenticationManager">
    		<intercept-url pattern="/oauth/token" access="IS_AUTHENTICATED_FULLY" />
    		<anonymous enabled="false" />
    		<http-basic />
    		<custom-filter ref="storews.clientCredentialsTokenEndpointFilter" before="BASIC_AUTH_FILTER" />
    	</http>
    	
    	<bean id="storews.clientCredentialsTokenEndpointFilter"
    	      class="com.company.security.oauth2.filter.ClientMacAuthorizationTokenEndpointFilter"
    	      p:authenticationManager-ref="storews.clientAuthenticationManager" />
    	 
    	<authentication-manager alias="storews.clientAuthenticationManager" xmlns="http://www.springframework.org/schema/security">
    		<authentication-provider user-service-ref="storews.clientDetailsUserDetailsService" />
    	</authentication-manager>
    	
    	<bean id="storews.clientDetailsUserDetailsService" class="com.company.security.oauth2.ClientDetailsUserDetailsService"
    		p:clientDetailsService-ref="storews.clientDetailsService" />
    	
    	<oauth:client-details-service id="storews.clientDetailsService">
    		<oauth:client client-id="myClientId" 
    			secret="secret"
    			authorized-grant-types="authorization_code"
    			authorities="ROLE_TRUSTED_CLIENT" 
    			redirect-uri="https://shop.clientcompany.com/oauth/return" />
    	</oauth:client-details-service>
    
    	<bean id="storews.tokenServices" class="org.springframework.security.oauth2.provider.token.RandomValueTokenServices"
    		p:accessTokenValiditySeconds="31536000" p:supportRefreshToken="false">
    		<property name="tokenStore">
    			<bean class="org.springframework.security.oauth2.provider.token.InMemoryTokenStore" />
    		</property>
    	</bean>
    
    	</beans>
    If I remove the "AUTH ENDPOINT" <http> element, the stack trace goes away. I tried removing individual <intercept-url> elements, but the error persists.

    Am I doing something wrong, or is this a known issue?

    Thank you!

  • #2
    It is because the http blocks are also considered in order and the default pattern for an http block is /**. Without having a pattern attribute on all but the last http block the other block will never be seen. Adding pattern to the first http block should fix your problem. If pattern does not work, you can also use a custom instance of RequestMatcher with request-matcher-ref.

    Comment


    • #3
      Thank you very much! That worked wonderfully.

      Comment

      Working...
      X