Spring Security
  1. Spring Security
  2. SEC-1171

Allow multiple namespace <http> elements to support multiple filter chain configurations

    Details

    • Type: New Feature New Feature
    • Status: Closed
    • Priority: Major Major
    • Resolution: Complete
    • Affects Version/s: 2.0.4, 3.0.0 M1
    • Fix Version/s: 3.1.0.M1
    • Component/s: Namespace
    • Labels:
      None

      Description

      The main use case for this is supporting stateless and stateful URLs within the same application (different session creation policies). For example, a normal application which users can log into may also expose REST service endpoints.

        Issue Links

          Activity

          Luke Taylor created issue -
          Hide
          Alex Marshall added a comment -

          One specific use case for this feature is having a RESTful webservice that you want to use HTTP BASIC authentication along one path of URLs, and using form authentication for the rest of your URLs.

          Show
          Alex Marshall added a comment - One specific use case for this feature is having a RESTful webservice that you want to use HTTP BASIC authentication along one path of URLs, and using form authentication for the rest of your URLs.
          Luke Taylor made changes -
          Field Original Value New Value
          Component/s Core [ 10110 ]
          Fix Version/s 3.1.0 [ 11174 ]
          Component/s Namespace [ 10522 ]
          Fix Version/s 3.0.0 RC1 [ 11172 ]
          Hide
          Markus Wolf added a comment -

          Another use case is providing atom/rss feeds at specified urls which should be secured.
          There are many feed readers which could not authenticate with such urls since they get a redirect to the login-form.

          Show
          Markus Wolf added a comment - Another use case is providing atom/rss feeds at specified urls which should be secured. There are many feed readers which could not authenticate with such urls since they get a redirect to the login-form.
          Hide
          Luke Taylor added a comment -

          An alternative option (more feasible in 3.0, since we have reduced the use of global beans) would be to permit the use of more than one <http> block, and assemble a single FilterChainProxy from the results. This would require some careful consideration though.

          Show
          Luke Taylor added a comment - An alternative option (more feasible in 3.0, since we have reduced the use of global beans) would be to permit the use of more than one <http> block, and assemble a single FilterChainProxy from the results. This would require some careful consideration though.
          Luke Taylor made changes -
          Link This issue supersedes SEC-1475 [ SEC-1475 ]
          Luke Taylor made changes -
          Summary Allow overriding of session creation policy (and possibly end point) for specific URLs within the namespace Allow multiple namespace <http> elements to support multiple filter chain configurations
          Description This would require a duplication of the filter chain using an alternative SecurityContextPersistenceFilter. A separate ExceptionTranslationFilter would also be required if different AuthenticationEntryPoints were required. The main use case for this is supporting stateless and stateful URLs within the same application (different session creation policies). For example, a normal application which users can log into may also expose Rest service endpoints.
          Luke Taylor made changes -
          Description The main use case for this is supporting stateless and stateful URLs within the same application (different session creation policies). For example, a normal application which users can log into may also expose Rest service endpoints. The main use case for this is supporting stateless and stateful URLs within the same application (different session creation policies). For example, a normal application which users can log into may also expose REST service endpoints.
          Hide
          Caoilte O'Connor added a comment -

          We have a checkout flow which has very slightly different properties to the standard flow and requires its own EndPoint (differnt login pages and messaging controls) and authentication filter (different redirects on success and failure)

          This was all possible with Spring Security 2.0 but is difficult with 3.0 name space configuration (which seems a lot lot less flexible). I have a hacky work around and I could fall back to a FilterChainProxy but it would be nice to have a clean implementation for what must be a very common business requirement.

          Show
          Caoilte O'Connor added a comment - We have a checkout flow which has very slightly different properties to the standard flow and requires its own EndPoint (differnt login pages and messaging controls) and authentication filter (different redirects on success and failure) This was all possible with Spring Security 2.0 but is difficult with 3.0 name space configuration (which seems a lot lot less flexible). I have a hacky work around and I could fall back to a FilterChainProxy but it would be nice to have a clean implementation for what must be a very common business requirement.
          Hide
          TimP added a comment -

          This may not be relevant, but I got misled by this bug so want to mention that you can support http-basic authentication and forms authentication for the same url.
          If basic authentication is present it will be honoured, you will not be redirected to a form login.
          wget relies upon a challenge before supplying authentication, so wget will get redirected unless you use the --auth-no-challenge qualifier

          Show
          TimP added a comment - This may not be relevant, but I got misled by this bug so want to mention that you can support http-basic authentication and forms authentication for the same url. If basic authentication is present it will be honoured, you will not be redirected to a form login. wget relies upon a challenge before supplying authentication, so wget will get redirected unless you use the --auth-no-challenge qualifier
          Hide
          Jamie Cramb added a comment -

          Another use case for this is if you have multiple "channels" (mobile site, desktop site, admin portal, etc) ; without being able to have multiple http elements you can't configure a channel-specific login pages, access denied pages, etc.

          I've been able to work around this before by using a single http element with additional login/logout handlers and a custom ExceptionTranslationFilter that can invoke the correct AuthenticationEntryPoint / AccessDeniedHandler based on URL patterns but this would make it much cleaner.

          Show
          Jamie Cramb added a comment - Another use case for this is if you have multiple "channels" (mobile site, desktop site, admin portal, etc) ; without being able to have multiple http elements you can't configure a channel-specific login pages, access denied pages, etc. I've been able to work around this before by using a single http element with additional login/logout handlers and a custom ExceptionTranslationFilter that can invoke the correct AuthenticationEntryPoint / AccessDeniedHandler based on URL patterns but this would make it much cleaner.
          Hide
          Luke Taylor added a comment -

          Most of the work for this issue is already in the trunk (see the source tab), so feel free to try it out.

          Please keep the comments specific to the work on the issue and how the feature is implemented. We all know there are plenty of use cases .

          Show
          Luke Taylor added a comment - Most of the work for this issue is already in the trunk (see the source tab), so feel free to try it out. Please keep the comments specific to the work on the issue and how the feature is implemented. We all know there are plenty of use cases .
          Hide
          Luke Taylor added a comment -

          Complete based on current design. There may be some scope for syntax changes later but these will be raised as separate issues.

          One side-effect of this issue is that the use of the filters='none' attribute on an <intercept-url> element is no longer supported. Patterns which should bypass security should use a separate, childless, <http> element with the required pattern and the attribute security='none' instead. The docs and examples have been updated to use the new sytax.

          Show
          Luke Taylor added a comment - Complete based on current design. There may be some scope for syntax changes later but these will be raised as separate issues. One side-effect of this issue is that the use of the filters='none' attribute on an <intercept-url> element is no longer supported. Patterns which should bypass security should use a separate, childless, <http> element with the required pattern and the attribute security='none' instead. The docs and examples have been updated to use the new sytax.
          Luke Taylor made changes -
          Status Open [ 1 ] Resolved [ 5 ]
          Resolution Complete [ 8 ]
          Luke Taylor made changes -
          Comment [ I am using latetst "spring-security-3.1.0.M1" release and trying to achieve multiple namespace <http> element - i.e. both "form based" and "basic authentication" mechanism.
          In my applicationContext-security.xml file I have defined two <http> element - but my web application always fails with following error.
          My application server is GlassFish v3.


          If I use "only one" <http> element it works fine, i.e. individual "form based" and individual "basic authentication" works fine.
          But if I want to use both together, I always get this error.

          Thus I wonder if it is my application specific issue or the issue in Spring Security framework itself?
          I have to support both type of authentication mechanism for the same web app.

          Can you pls. anyone help me?

          ==============================
          [#|2010-11-15T12:30:56.304-0800|WARNING|glassfishv3.0|javax.enterprise.system.container.web.com.sun.enterprise.web|_ThreadID=28;_ThreadName=http-thread-pool-4848-(2);|java.lang.IllegalStateException: ContainerBase.addChild: start: org.apache.catalina.LifecycleException: org.springframework.beans.factory.BeanDefinitionStoreException: Unexpected exception parsing XML document from ServletContext resource [/WEB-INF/applicationContext-security.xml]; nested exception is java.lang.NullPointerException
          java.lang.IllegalStateException: ContainerBase.addChild: start: org.apache.catalina.LifecycleException: org.springframework.beans.factory.BeanDefinitionStoreException: Unexpected exception parsing XML document from ServletContext resource [/WEB-INF/applicationContext-security.xml]; nested exception is java.lang.NullPointerException
          at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:932)
          at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:912)
          at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:694)
          at com.sun.enterprise.web.WebContainer.loadWebModule(WebContainer.java:1933)
          at com.sun.enterprise.web.WebContainer.loadWebModule(WebContainer.java:1605)
          at com.sun.enterprise.web.WebApplication.start(WebApplication.java:90)
          at org.glassfish.internal.data.EngineRef.start(EngineRef.java:126)
          at org.glassfish.internal.data.ModuleInfo.start(ModuleInfo.java:241)
          at org.glassfish.internal.data.ApplicationInfo.start(ApplicationInfo.java:236)
          at com.sun.enterprise.v3.server.ApplicationLifecycle.deploy(ApplicationLifecycle.java:339)
          at com.sun.enterprise.v3.server.ApplicationLifecycle.deploy(ApplicationLifecycle.java:183)
          at org.glassfish.deployment.admin.DeployCommand.execute(DeployCommand.java:272)
          at com.sun.enterprise.v3.admin.CommandRunnerImpl$1.execute(CommandRunnerImpl.java:305)
          at com.sun.enterprise.v3.admin.CommandRunnerImpl.doCommand(CommandRunnerImpl.java:320)
          at com.sun.enterprise.v3.admin.CommandRunnerImpl.doCommand(CommandRunnerImpl.java:1176)
          at com.sun.enterprise.v3.admin.CommandRunnerImpl.access$900(CommandRunnerImpl.java:83)
          at com.sun.enterprise.v3.admin.CommandRunnerImpl$ExecutionContext.execute(CommandRunnerImpl.java:1235)
          at com.sun.enterprise.v3.admin.CommandRunnerImpl$ExecutionContext.execute(CommandRunnerImpl.java:1224)
          at com.sun.enterprise.v3.admin.AdminAdapter.doCommand(AdminAdapter.java:365)
          at com.sun.enterprise.v3.admin.AdminAdapter.service(AdminAdapter.java:204)
          at com.sun.grizzly.tcp.http11.GrizzlyAdapter.service(GrizzlyAdapter.java:166)
          at com.sun.enterprise.v3.server.HK2Dispatcher.dispath(HK2Dispatcher.java:100)
          at com.sun.enterprise.v3.services.impl.ContainerMapper.service(ContainerMapper.java:245)
          at com.sun.grizzly.http.ProcessorTask.invokeAdapter(ProcessorTask.java:791)
          at com.sun.grizzly.http.ProcessorTask.doProcess(ProcessorTask.java:693)
          at com.sun.grizzly.http.ProcessorTask.process(ProcessorTask.java:954)
          at com.sun.grizzly.http.DefaultProtocolFilter.execute(DefaultProtocolFilter.java:170)
          at com.sun.grizzly.DefaultProtocolChain.executeProtocolFilter(DefaultProtocolChain.java:135)
          at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:102)
          at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:88)
          at com.sun.grizzly.http.HttpProtocolChain.execute(HttpProtocolChain.java:76)
          at com.sun.grizzly.ProtocolChainContextTask.doCall(ProtocolChainContextTask.java:53)
          at com.sun.grizzly.SelectionKeyContextTask.call(SelectionKeyContextTask.java:57)
          at com.sun.grizzly.ContextTask.run(ContextTask.java:69)
          at com.sun.grizzly.util.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:330)
          at com.sun.grizzly.util.AbstractThreadPool$Worker.run(AbstractThreadPool.java:309)
          at java.lang.Thread.run(Thread.java:619)
          |#]
          ]
          Luke Taylor made changes -
          Comment [ Here is my two <http> declaration

            <http use-expressions="true" entry-point-ref="basicProcessingFilterEntryPoint">
                  <custom-filter ref="basicAuthenticationFilter" before="FORM_LOGIN_FILTER"/>
                  <intercept-url pattern="/services/**" access="isAuthenticated()"/>
              </http>



              <http use-expressions="true" entry-point-ref="loginUrlAuthenticationEntryPoint">
                  <custom-filter ref="myAuthenticationFilter" position="FORM_LOGIN_FILTER"/>

                  <intercept-url pattern="/login.jsp" access="permitAll"/>
                  <intercept-url pattern="/lostpassword.jsp" access="permitAll"/>
                  <intercept-url pattern="/lostpassword" access="permitAll"/>
                  <intercept-url pattern="/resetpassword" access="permitAll"/>
                  <intercept-url pattern="/resetConfirmation" access="permitAll"/>
                  <intercept-url pattern="/changePassword.jsp" access="permitAll"/>
                  <intercept-url pattern="/changepassword" access="permitAll"/>
                  <intercept-url pattern="/imf/**" access="permitAll"/>
                  <intercept-url pattern="/edm/**" access="permitAll"/>

                  <intercept-url pattern="/discovery.html" access="isAuthenticated()"/>
                  <intercept-url pattern="/discovery/**" access="isAuthenticated()"/>

                  <logout logout-success-url="/login.jsp"/>

                  <session-management session-authentication-error-url="/login.jsp" invalid-session-url="/login.jsp">
                      <concurrency-control max-sessions="1" error-if-maximum-exceeded="true"/>
                  </session-management>
              </http> ]
          Luke Taylor made changes -
          Status Resolved [ 5 ] Closed [ 6 ]
          Hide
          Kuntal Mondal added a comment -

          Hi Luke,
          I am still getting the same problem with 3.1.0-M1 release.
          Can you pls. let me know what changes I need to do?

          My <http> declarations are as shown above.
          In my WEB-INF/lib directory I have following Spring jars.
          Am I missing any thing there?

          org.springframework.aop-3.0.3.RELEASE.jar
          org.springframework.asm-3.0.3.RELEASE.jar
          org.springframework.beans-3.0.3.RELEASE.jar
          org.springframework.context-3.0.3.RELEASE.jar
          org.springframework.core-3.0.3.RELEASE.jar
          org.springframework.expression-3.0.3.RELEASE.jar
          org.springframework.jdbc-3.0.3.RELEASE.jar
          org.springframework.ldap-1.3.0.RELEASE.jar
          org.springframework.web-3.0.3.RELEASE.jar
          org.springframework.web.servlet-3.0.3.RELEASE.jar
          spring-security-config-3.1.0.M1.jar
          spring-security-core-3.1.0.M1.jar
          spring-security-ldap-3.1.0.M1.jar
          spring-security-taglibs-3.1.0.M1.jar
          spring-security-web-3.1.0.M1.jar
          spring-tx-3.0.3.RELEASE.jar

          Thanks a lot,

          • Kuntal
          Show
          Kuntal Mondal added a comment - Hi Luke, I am still getting the same problem with 3.1.0-M1 release. Can you pls. let me know what changes I need to do? My <http> declarations are as shown above. In my WEB-INF/lib directory I have following Spring jars. Am I missing any thing there? org.springframework.aop-3.0.3.RELEASE.jar org.springframework.asm-3.0.3.RELEASE.jar org.springframework.beans-3.0.3.RELEASE.jar org.springframework.context-3.0.3.RELEASE.jar org.springframework.core-3.0.3.RELEASE.jar org.springframework.expression-3.0.3.RELEASE.jar org.springframework.jdbc-3.0.3.RELEASE.jar org.springframework.ldap-1.3.0.RELEASE.jar org.springframework.web-3.0.3.RELEASE.jar org.springframework.web.servlet-3.0.3.RELEASE.jar spring-security-config-3.1.0.M1.jar spring-security-core-3.1.0.M1.jar spring-security-ldap-3.1.0.M1.jar spring-security-taglibs-3.1.0.M1.jar spring-security-web-3.1.0.M1.jar spring-tx-3.0.3.RELEASE.jar Thanks a lot, Kuntal
          Hide
          Luke Taylor added a comment -

          The syntax is explained in the reference manual. If you have problems, please post your questions in the forum rather than the issue tracker.

          Show
          Luke Taylor added a comment - The syntax is explained in the reference manual. If you have problems, please post your questions in the forum rather than the issue tracker.
          Trevor Marshall made changes -
          Workflow jira [ 27071 ] SPR Workflow [ 55586 ]
          Transition Time In Source Status Execution Times Last Executer Last Execution Date
          Open Open Resolved Resolved
          442d 12h 33m 1 Luke Taylor 16/Aug/10 3:41 PM
          Resolved Resolved Closed Closed
          92d 21h 53m 1 Luke Taylor 17/Nov/10 12:35 PM

            People

            • Assignee:
              Luke Taylor
              Reporter:
              Luke Taylor
            • Votes:
              21 Vote for this issue
              Watchers:
              25 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: