I'm using a custom Spring Security filter which overrides AbstractAuthenticationProcessingFilter but I must have written it incorrectly as it seems to never call the rest of the filter chain. Specifically, I'm relying on the OpenEntityManagerInViewFilter filter to ensure Jackson+Hibernate can handle lazy-loaded objects.
If my web.xml has OpenEntityManagerInViewFilter first, everything works:
<filter>
<filter-name>hibernateFilterChain</filter-name>
<filter-class>org.springframework.orm.jpa.support.OpenEntityManagerInViewFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>hibernateFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
If I place the springSecurityFilterChain at the top, however, my application behaves as though I didn't specify the OpenEntityManagerInViewFilter at all.
Here is my springSecurity.xml:
<?xml version="1.0"?>
<beans xmlns="http://ift.tt/GArMu6"
xmlns:security="http://ift.tt/1c8inpe"
xmlns:xsi="http://ift.tt/ra1lAU" xmlns:p="http://ift.tt/1jdM0fE"
xsi:schemaLocation="http://ift.tt/GArMu6
http://ift.tt/QEDs1e
http://ift.tt/1c8inpe
http://ift.tt/1epvZ6L">
<security:http entry-point-ref="restAuthenticationEntryPoint"
use-expressions="true" create-session="stateless">
<security:custom-filter ref="authenticationTokenProcessingFilter"
position="FORM_LOGIN_FILTER" />
<security:intercept-url pattern="/**"
access="isAuthenticated()" />
<security:logout />
</security:http>
<bean class="edu.ucdavis.dss.dw.security.CustomTokenAuthenticationFilter"
id="authenticationTokenProcessingFilter">
<constructor-arg type="java.lang.String">
<value>/**</value>
</constructor-arg>
</bean>
<security:authentication-manager>
<security:authentication-provider
user-service-ref="userService"></security:authentication-provider>
</security:authentication-manager>
<bean id="userService" class="edu.ucdavis.dss.dw.services.UserAuthenticationService"></bean>
</beans>
And finally, here is the CustomTokenAuthenticationFilter itself, which may be causing the issues:
public class CustomTokenAuthenticationFilter extends AbstractAuthenticationProcessingFilter {
@Autowired @Qualifier("org.springframework.security.authenticationManager")
private AuthenticationManager authenticationManager;
public CustomTokenAuthenticationFilter(String defaultFilterProcessesUrl) {
super(defaultFilterProcessesUrl);
super.setRequiresAuthenticationRequestMatcher(new AntPathRequestMatcher(defaultFilterProcessesUrl));
setAuthenticationManager(new NoOpAuthenticationManager());
setAuthenticationSuccessHandler(new TokenSimpleUrlAuthenticationSuccessHandler());
}
@Override
public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException, IOException, ServletException {
String token = request.getParameter("token");
if(token == null) {
throw new AuthenticationServiceException("Token Missing");
}
Authentication authResponse;
try {
authResponse = authenticationManager.authenticate(new UsernamePasswordAuthenticationToken(token, "dssit"));
} catch (AuthenticationException e) {
throw new AuthenticationServiceException("Bad Token");
}
return authResponse;
}
}
In summary: I made a custom security filter and it appears not to call any filters which are listed after it. If I remove my custom filter and use something built-in like security:http-basic, it works fine.
Thanks in advance for any help you can offer.
Aucun commentaire:
Enregistrer un commentaire