Spring Security
  1. Spring Security
  2. SEC-1171

Allow multiple namespace <http> elements to support multiple filter chain configurations

    Details

    • Type: New Feature New Feature
    • Status: Closed
    • Priority: Major Major
    • Resolution: Complete
    • Affects Version/s: 2.0.4, 3.0.0 M1
    • Fix Version/s: 3.1.0.M1
    • Component/s: Namespace
    • Labels:
      None

      Description

      The main use case for this is supporting stateless and stateful URLs within the same application (different session creation policies). For example, a normal application which users can log into may also expose REST service endpoints.

        Issue Links

          Activity

          Hide
          Jamie Cramb added a comment -

          Another use case for this is if you have multiple "channels" (mobile site, desktop site, admin portal, etc) ; without being able to have multiple http elements you can't configure a channel-specific login pages, access denied pages, etc.

          I've been able to work around this before by using a single http element with additional login/logout handlers and a custom ExceptionTranslationFilter that can invoke the correct AuthenticationEntryPoint / AccessDeniedHandler based on URL patterns but this would make it much cleaner.

          Show
          Jamie Cramb added a comment - Another use case for this is if you have multiple "channels" (mobile site, desktop site, admin portal, etc) ; without being able to have multiple http elements you can't configure a channel-specific login pages, access denied pages, etc. I've been able to work around this before by using a single http element with additional login/logout handlers and a custom ExceptionTranslationFilter that can invoke the correct AuthenticationEntryPoint / AccessDeniedHandler based on URL patterns but this would make it much cleaner.
          Hide
          Luke Taylor added a comment -

          Most of the work for this issue is already in the trunk (see the source tab), so feel free to try it out.

          Please keep the comments specific to the work on the issue and how the feature is implemented. We all know there are plenty of use cases .

          Show
          Luke Taylor added a comment - Most of the work for this issue is already in the trunk (see the source tab), so feel free to try it out. Please keep the comments specific to the work on the issue and how the feature is implemented. We all know there are plenty of use cases .
          Hide
          Luke Taylor added a comment -

          Complete based on current design. There may be some scope for syntax changes later but these will be raised as separate issues.

          One side-effect of this issue is that the use of the filters='none' attribute on an <intercept-url> element is no longer supported. Patterns which should bypass security should use a separate, childless, <http> element with the required pattern and the attribute security='none' instead. The docs and examples have been updated to use the new sytax.

          Show
          Luke Taylor added a comment - Complete based on current design. There may be some scope for syntax changes later but these will be raised as separate issues. One side-effect of this issue is that the use of the filters='none' attribute on an <intercept-url> element is no longer supported. Patterns which should bypass security should use a separate, childless, <http> element with the required pattern and the attribute security='none' instead. The docs and examples have been updated to use the new sytax.
          Hide
          Kuntal Mondal added a comment -

          Hi Luke,
          I am still getting the same problem with 3.1.0-M1 release.
          Can you pls. let me know what changes I need to do?

          My <http> declarations are as shown above.
          In my WEB-INF/lib directory I have following Spring jars.
          Am I missing any thing there?

          org.springframework.aop-3.0.3.RELEASE.jar
          org.springframework.asm-3.0.3.RELEASE.jar
          org.springframework.beans-3.0.3.RELEASE.jar
          org.springframework.context-3.0.3.RELEASE.jar
          org.springframework.core-3.0.3.RELEASE.jar
          org.springframework.expression-3.0.3.RELEASE.jar
          org.springframework.jdbc-3.0.3.RELEASE.jar
          org.springframework.ldap-1.3.0.RELEASE.jar
          org.springframework.web-3.0.3.RELEASE.jar
          org.springframework.web.servlet-3.0.3.RELEASE.jar
          spring-security-config-3.1.0.M1.jar
          spring-security-core-3.1.0.M1.jar
          spring-security-ldap-3.1.0.M1.jar
          spring-security-taglibs-3.1.0.M1.jar
          spring-security-web-3.1.0.M1.jar
          spring-tx-3.0.3.RELEASE.jar

          Thanks a lot,

          • Kuntal
          Show
          Kuntal Mondal added a comment - Hi Luke, I am still getting the same problem with 3.1.0-M1 release. Can you pls. let me know what changes I need to do? My <http> declarations are as shown above. In my WEB-INF/lib directory I have following Spring jars. Am I missing any thing there? org.springframework.aop-3.0.3.RELEASE.jar org.springframework.asm-3.0.3.RELEASE.jar org.springframework.beans-3.0.3.RELEASE.jar org.springframework.context-3.0.3.RELEASE.jar org.springframework.core-3.0.3.RELEASE.jar org.springframework.expression-3.0.3.RELEASE.jar org.springframework.jdbc-3.0.3.RELEASE.jar org.springframework.ldap-1.3.0.RELEASE.jar org.springframework.web-3.0.3.RELEASE.jar org.springframework.web.servlet-3.0.3.RELEASE.jar spring-security-config-3.1.0.M1.jar spring-security-core-3.1.0.M1.jar spring-security-ldap-3.1.0.M1.jar spring-security-taglibs-3.1.0.M1.jar spring-security-web-3.1.0.M1.jar spring-tx-3.0.3.RELEASE.jar Thanks a lot, Kuntal
          Hide
          Luke Taylor added a comment -

          The syntax is explained in the reference manual. If you have problems, please post your questions in the forum rather than the issue tracker.

          Show
          Luke Taylor added a comment - The syntax is explained in the reference manual. If you have problems, please post your questions in the forum rather than the issue tracker.

            People

            • Assignee:
              Luke Taylor
              Reporter:
              Luke Taylor
            • Votes:
              21 Vote for this issue
              Watchers:
              25 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: