[ROO-1585] HttpMethodFilter should come before springSecurityFilterChain in web.xml - Spring JIRA

This issue belongs to an archived project. You can view it, but you can't modify it. Learn more

XML

Word

Printable

Details

Type: Bug
Status: Resolved
Priority: Minor
Resolution: Complete
Affects Version/s: 1.1.0.RC1
Fix Version/s: 1.1.0.RELEASE
Component/s: SECURITY
Labels:
None
Environment:
Mac OS X 10.6.4, Windows 7 64-bit JDK 1.6.0_22

Reference URL:
http://forum.springsource.org/showthread.php?t=96813

Description

When adding security to a Roo project with the "security setup" command, a filter is added to the web.xml for Spring Security. This filter is put before HttpMethodFilter, but it needs to be put after. HttpMethodFilter is responsible for converting the Spring MVC HTTP POST with parameter _method=DELETE into an actual HTTP DELETE method. If you want to define a Spring Security <intercept-url> with method="DELETE", a delete request will only be intercepted if the request has been converted to the HTTP DELETE method previously. Thus the HttpMethodFilter needs to have been called first, and should be put before the springSecurityFilterChain filter in the web.xml.

Attachments

Activity

People

Assignee:: Alan Stewart

Reporter:: Bryan Keller

Archiver:: Trevor Marshall

Dates

Created:: 17/Oct/10 11:44 AM

Updated:: 17/Oct/10 9:36 PM

Resolved:: 17/Oct/10 9:36 PM

Archived:: 09/Feb/23 11:24 PM