0

I wonder why my Spring security is not working. I've got this spring-security.xml

<beans:beans xmlns="http://www.springframework.org/schema/security"
 xmlns:beans="http://www.springframework.org/schema/beans"
 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 xsi:schemaLocation="http://www.springframework.org/schema/beans
 http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
 http://www.springframework.org/schema/security
 http://www.springframework.org/schema/security/spring-security-3.1.xsd">
 <http auto-config='true'>
 <intercept-url pattern="/**" access="ROLE_USER" />
 <port-mappings>
 <port-mapping http="8088" https="9443"/>
 </port-mappings>
 </http>
 <authentication-manager>
 <authentication-provider>
 <user-service>
 <user name="admin" password="password2" authorities="ROLE_USER" />
 <user name="jimi" password="jimispassword" authorities="ROLE_USER, ROLE_ADMIN" />
 <user name="bob" password="bobspassword" authorities="ROLE_USER" />
 </user-service>
 </authentication-provider>
 </authentication-manager>
</beans:beans>

Then I got this web.xml

<?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee"
 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
 <context-param>
 <param-name>contextConfigLocation</param-name>
 <param-value>
 /WEB-INF/spring/admin-servlet-common.xml
 /WEB-INF/spring/admin-servlet-controller.xml
 /WEB-INF/spring/admin-servlet-security.xml
 /WEB-INF/spring/admin-servlet-service.xml
 /WEB-INF/spring-security.xml
 classpath:ses-service.xml
 </param-value>
 </context-param>
 <context-param>
 <param-name>log4jConfigLocation</param-name>
 <param-value>/WEB-INF/log4j.xml</param-value>
 </context-param>
 <listener>
 <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
 </listener>
 <listener>
 <listener-class>org.springframework.web.util.Log4jConfigListener</listener-class>
 </listener>
 <!-- Reads request input using UTF-8 encoding -->
 <filter>
 <filter-name>characterEncodingFilter</filter-name>
 <filter-class>org.springframework.web.filter.CharacterEncodingFilter</filter-class>
 <init-param>
 <param-name>encoding</param-name>
 <param-value>UTF-8</param-value>
 </init-param>
 <init-param>
 <param-name>forceEncoding</param-name>
 <param-value>true</param-value>
 </init-param>
 </filter>
 <filter-mapping>
 <filter-name>characterEncodingFilter</filter-name>
 <url-pattern>/*</url-pattern>
 </filter-mapping>
 <!-- Enables clean URLs with JSP views e.g. /welcome instead of /app/welcome -->
 <filter>
 <filter-name>UrlRewriteFilter</filter-name>
 <filter-class>org.tuckey.web.filters.urlrewrite.UrlRewriteFilter</filter-class>
 </filter>
 <filter-mapping>
 <filter-name>UrlRewriteFilter</filter-name>
 <url-pattern>/*</url-pattern>
 </filter-mapping>
 <!-- Spring Security -->
 <filter>
 <filter-name>springSecurityFilterChain</filter-name>
 <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
 </filter>
 <filter-mapping>
 <filter-name>springSecurityFilterChain</filter-name>
 <url-pattern>/*</url-pattern>
 </filter-mapping>
 <!-- Handles all requests into the application -->
 <servlet>
 <servlet-name>ses</servlet-name>
 <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
 <load-on-startup>2</load-on-startup>
 </servlet>
 <servlet-mapping>
 <servlet-name>ses</servlet-name>
 <url-pattern>/app/*</url-pattern>
 </servlet-mapping>
</web-app>

But it neither gives an error message nor enables security. There is no change is my webapp and I can still browse the pages e.g. http://localhost:8088/admin/login and http://localhost:8088/admin/menu . This project is the admin part of a web app and I'm enabling security for the admin web. What can be done? My own login page that I'd like to use is http://localhost:8088/admin/login and I'd like to secure the rest of the /admin* pages for the admin role.

asked Dec 16, 2013 at 16:05
2
  • 1
    put a breakpoint in your application and check the stack, is the spring security filter even called? Commented Dec 16, 2013 at 16:24
  • 1
    I'm guessing your spring security file is named admin-servlet-security.xml ? Cause if not you need to add it to the contextConfigLocation list in your web.xml Commented Dec 16, 2013 at 16:25

2 Answers 2

2
+200

The UrlRewriteFilter is listed first and will bypass Spring Security by forwarding to other places within the application. In general, the springSecurityFilterChain should be the first in your web.xml to ensure it intercepts all requests.

I'd also consider removing UrlRewriteFilter all together (as it can make for very confusing mappings in your intercept-urls. In the past it was used to remove the /app mapping assigned to Springs DispatcherServlet which can easily be avoided by mapping the DispatcherServlet to /

<servlet-mapping>
 <servlet-name>ses</servlet-name>
 <url-pattern>/</url-pattern>
</servlet-mapping>

You can find some more discussion about Spring Security and UrlRewriteFilter on the Spring Security forums

answered Dec 16, 2013 at 21:03
Sign up to request clarification or add additional context in comments.

Comments

1 
<intercept-url pattern="/**" access="ROLE_USER" />

does it means that you allow access to all pages for user with ROLE_USER (all of 3 users have that role)?

<intercept-url pattern="/admin/**" access="ROLE_ADMIN" />
<intercept-url pattern="/**" access="ROLE_USER" />

should allow access to admin's pages only for users with ROLE_ADMIN, and rest of pages as it works now

answered Dec 16, 2013 at 16:28

Comments

Your Answer

Draft saved
Draft discarded

Sign up or log in

Sign up using Google
Sign up using Email and Password

Post as a guest

Required, but never shown

Post as a guest

Required, but never shown

By clicking "Post Your Answer", you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.