vendredi 20 mars 2015

Spring security filter blocking restful api calls

I have a web application using Spring 4. I'm using Spring security here. In the mean time I need to open a restful api with no security. Issue is till the security filter is enabled my rest rest POST calls get a 405 Method Not Allowed response(Still the GET works). When I comment the security filter from the web.xml POST works fine. I tried adding following line to security xml but didn't help.



<intercept-url pattern="/rest**" access="permitAll" />


My web.xml , security filter is and the end which when commented POST start working.



<web-app xmlns="http://ift.tt/nSRXKP" xmlns:xsi="http://ift.tt/ra1lAU"
     xsi:schemaLocation="http://ift.tt/nSRXKP
      http://ift.tt/LU8AHS"
     version="2.5">

<display-name>Counter Web Application</display-name>

<servlet>
    <servlet-name>mvc-dispatcher</servlet-name>
    <servlet-class>
        org.springframework.web.servlet.DispatcherServlet
    </servlet-class>
    <load-on-startup>1</load-on-startup>
</servlet>

<servlet-mapping>
    <servlet-name>mvc-dispatcher</servlet-name>
    <url-pattern>/</url-pattern>
</servlet-mapping>

<listener>
    <listener-class>
        org.springframework.web.context.ContextLoaderListener
    </listener-class>
</listener>

<!-- Loads Spring Security config file -->
<context-param>
    <param-name>contextConfigLocation</param-name>
    <param-value>
        /WEB-INF/application-security.xml,
        /WEB-INF/application-database.xml
    </param-value>
</context-param>

 <!--Spring Security -->
<filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>

<filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>


My application-security.xml



<beans:beans xmlns="http://ift.tt/1c8inpe"
         xmlns:beans="http://ift.tt/GArMu6"
         xmlns:security="http://ift.tt/1c8inpe"
         xmlns:xsi="http://ift.tt/ra1lAU"
         xsi:schemaLocation="http://ift.tt/GArMu6
http://ift.tt/QEDs1e
http://ift.tt/1c8inpe
http://ift.tt/1epvZ6L
http://ift.tt/1c8inpe
http://ift.tt/1epvZ6L">

<security:http security="none" pattern="**/resources/**"/>

<!-- enable use-expressions -->
<http auto-config="true" use-expressions="true">

    <intercept-url pattern="/admin**" access="hasRole('ROLE_ADMIN')" />

    <intercept-url pattern="/rest**" access="permitAll" />

    <!-- access denied page -->
    <access-denied-handler error-page="/access-denied" />

    <form-login
            login-page="/login"
            default-target-url="/admin/dashboard"
            authentication-failure-url="/login?error"
            username-parameter="username"
            password-parameter="password" />
    <logout logout-success-url="/login?logout"  />
    <!-- enable csrf protection -->
    <csrf/>
</http>

<!-- Select users and user_roles from database -->
<authentication-manager>

    <authentication-provider>
        <password-encoder ref="encoder" />
        <jdbc-user-service data-source-ref="dataSource"
                           users-by-username-query="select username,password, enabled from users where username=?"
                           authorities-by-username-query="select username, role from user_roles where username =?" />
    </authentication-provider>

</authentication-manager>

<beans:bean id="encoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder">
    <beans:constructor-arg name="strength" value="10" />
</beans:bean>

Publié par à
Libellés :

Aucun commentaire:

Enregistrer un commentaire

Inscription à : Publier les commentaires (Atom)