DEVHIDE
Login Or Sign up

Issues along migrating a comprehensive spring security xml based configuration (2.0.4) to java based configuration (4.2)

215 Views Asked by At

In Spring security 2.0.4, the declaration was as follows and also the position of filters were declared in the individual bean declarations .....

Old Security.xml

<sec:http session-fixation-protection="migrateSession">
    <sec:intercept-url pattern="/login.hm*" filters="none" requires-channel="https" />
    <sec:intercept-url pattern="/services/**" filters="none" requires-channel="https"/>
    <sec:intercept-url pattern="/widget/**" filters="none" requires-channel="https" />
    <sec:intercept-url pattern="/istore/theme/**" filters="none" requires-channel="https"/>
    <sec:intercept-url pattern="/logout.hm*" filters="none" requires-channel="https" />
    <sec:intercept-url pattern="/mstore/theme/**" filters="none" requires-channel="https"/>
    <sec:intercept-url pattern="/istore/history*" access="ROLE_UU" requires-channel="https"/>
    <sec:intercept-url pattern="/istore/consumer_goods*" access="ROLE_UU" requires-channel="https"/>
    <sec:intercept-url pattern="/istore/electronics*" access="ROLE_UU" requires-channel="https"/>
    <sec:intercept-url pattern="/istore/accessories*" access="ROLE_UU" requires-channel="https"/>
    <sec:intercept-url pattern="/istore/reward_redemption*" access="ROLE_UU" requires-channel="https"/>
    <sec:intercept-url pattern="/istore/**" access="ROLE_UU,ROLE_SSS" requires-channel="https"/>
    <sec:form-login
            login-page="${login.url}"
            login-processing-url="${login.processing.url}"
            default-target-url="${setuppassword.page.url}"
            authentication-failure-url="${login.failure.url}" always-use-default-target="false" />
</sec:http>

Spring Security: how to exclude certain resources?

https://www.baeldung.com/security-none-filters-none-access-permitAll

The main issue is filters are not being excluded for certain URL patterns and not being set for others in a more precise way.

P.S. We also have HDIV which is also being migrated.

  1. How do we configure filters and the chain order for specific URL's and ignore for some?
  2. Is java based configuration better or XML?

Startup Logs

INFO 78928 --- [ost-startStop-1] o.s.b.w.servlet.FilterRegistrationBean   : Mapping filter: 'characterEncodingFilter' to: [/*]
INFO 78928 --- [ost-startStop-1] o.s.b.w.servlet.FilterRegistrationBean   : Mapping filter: 'hiddenHttpMethodFilter' to: [/*]
INFO 78928 --- [ost-startStop-1] o.s.b.w.servlet.FilterRegistrationBean   : Mapping filter: 'httpPutFormContentFilter' to: [/*]
INFO 78928 --- [ost-startStop-1] o.s.b.w.servlet.FilterRegistrationBean   : Mapping filter: 'requestContextFilter' to: [/*]
INFO 78928 --- [ost-startStop-1] o.s.b.w.servlet.FilterRegistrationBean   : Mapping filter: 'springSecurityFilterChain' to: [/*]
INFO 78928 --- [ost-startStop-1] o.s.b.w.servlet.FilterRegistrationBean   : Mapping filter: 'sitemesh' to urls: [*.hm]
INFO 78928 --- [ost-startStop-1] o.s.b.w.servlet.FilterRegistrationBean   : Mapping filter: 'CustomSecurityHeaderFilter' to urls: []
INFO 78928 --- [ost-startStop-1] o.s.b.w.servlet.FilterRegistrationBean   : Mapping filter: 'HttpOnlyCookieFilter' to urls: [*.hm]
INFO 78928 --- [ost-startStop-1] o.s.b.w.servlet.FilterRegistrationBean   : Mapping filter: 'ValidatorFilter' to urls: [*.hm]
INFO 78928 --- [ost-startStop-1] o.s.b.w.servlet.FilterRegistrationBean   : Mapping filter: 'org.springframework.security.filterChainProxy' to: [/*]
INFO 78928 --- [ost-startStop-1] o.s.b.w.servlet.FilterRegistrationBean   : Mapping filter:'org.springframework.security.web.access.intercept.FilterSecurityInterceptor#0' to: [/*]
INFO 78928 --- [ost-startStop-1] o.s.b.w.servlet.FilterRegistrationBean   : Mapping filter: 'org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter#0' to: [/*]
INFO 78928 --- [ost-startStop-1] o.s.b.w.servlet.FilterRegistrationBean   : Mapping filter: 'httpOnlyCookieFilter' to: [/*]
INFO 78928 --- [ost-startStop-1] o.s.b.w.servlet.FilterRegistrationBean   : Mapping filter: 'logoutFilter' to: [/*]
INFO 78928 --- [ost-startStop-1] o.s.b.w.servlet.FilterRegistrationBean   : Mapping filter: 'iStoreFilter' to: [/*]
INFO 78928 --- [ost-startStop-1] o.s.b.w.servlet.FilterRegistrationBean   : Mapping filter: 'loginFilter' to: [/*]
INFO 78928 --- [ost-startStop-1] o.s.b.w.servlet.FilterRegistrationBean   : Mapping filter: 'preLoginFilter' to: [/*]
INFO 78928 --- [ost-startStop-1] o.s.b.w.servlet.FilterRegistrationBean   : Mapping filter: '_formLoginFilter' to: [/*]
spring spring-boot filter spring-security hdiv
Original Q&A
1

There are 1 best solutions below

0
On

I had previously asked the below question which was deleted because it was not focused, so requerying it to answer it myself because I feel it may be useful to others as well.

https://stackoverflow.com/questions/60221667/custom-filters-being-called-by-spring-and-mapped-to-even-after-specifying-se

For Spring security migration to versions 3 & above you can simply extend WebSecurityConfigurerAdapter and override the methods which uses a builder pattern for JAVA based configuration which is simpler, granular and easy,

  1. The first one to add URL patterns with roles, authentication providers, authentication handlers (success/failure), logout, logout handlers, session management config, set of filters with defined positions etc.
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()
                .antMatchers("/istore/link.jsp").hasAnyAuthority("UU", "SSS")
                .antMatchers("/istore/**/*.jsp").hasAuthority("RESTRICT")
                .antMatchers("/mstore/**/*.jsp").hasAuthority("RESTRICT")
                .antMatchers("/istore/card*").hasAuthority("UU")
                .antMatchers("/istore/history*").hasAuthority("UU")
                .antMatchers("/istore/orders*").hasAuthority("UU")
                .antMatchers("/istore/consumer_goods*").hasAuthority("UU")
                .antMatchers("/istore/electronics*").hasAuthority("UU")
                .antMatchers("/istore/reward_redemption*").hasAuthority("UU")
                .antMatchers("/istore/accessories*").hasAuthority("UU")
                .antMatchers("/istore/privelege_card*").hasAuthority("UU")
                .antMatchers("/istore/profile*").hasAuthority("UU")
                .antMatchers("/istore/reward_redemption*").hasAuthority("UU")
                .antMatchers("/istore/addresses*").hasAuthority("UU")
                .antMatchers("/istore/**").hasAuthority("UU")
                .and()
                .formLogin()
                .loginPage("/login.hm")
                .failureUrl("/login.hm?err=1")
                .loginProcessingUrl("/istore_check.hm")
                .and()
                .authenticationProvider(authProvider)
                .logout()
                .and()
                .csrf().disable()
                .addFilterBefore(iStoreFilter, ChannelProcessingFilter.class)
                .addFilterAfter(loginFilter, BasicAuthenticationFilter.class)
                .addFilterAt(logoutFilter, org.springframework.security.web.authentication.logout.LogoutFilter.class)
                .addFilterAt(authenticationProcessingFilter, UsernamePasswordAuthenticationFilter.class)
                .sessionManagement().sessionFixation().migrateSession();
    }
  1. The second one to ignore security filters within spring security filter chain for specific URL patterns.
    @Override
    public void configure(WebSecurity web) throws Exception {
        web.ignoring().antMatchers("/services/**")
                .antMatchers(HttpMethod.GET,"/monitor/health")
                .antMatchers(HttpMethod.GET,"/widget/**")
                .antMatchers(HttpMethod.GET,"/login.hm*")
                .antMatchers(HttpMethod.GET,"/istore/login.jsp")
                .antMatchers(HttpMethod.GET,"/istore/logout.jsp")
                .antMatchers(HttpMethod.GET,"/registration.hm*")
                .antMatchers(HttpMethod.GET,"/tnc.hm*")
                .antMatchers(HttpMethod.GET,"/istore/clicktochat/**")
                .antMatchers(HttpMethod.GET,"/logout.hm")
                .antMatchers(HttpMethod.GET,"/istore/theme/**")
                .antMatchers(HttpMethod.GET,"/mstore/theme/**")
                .antMatchers(HttpMethod.GET,"/js/**")
                .antMatchers(HttpMethod.GET,"/breeze/**")
                .antMatchers(HttpMethod.GET,"/resources/**")
                .antMatchers(HttpMethod.GET,"/crossdomain.xml")
    }
  1. The third one is to make available the authentication manager bean which was previously available as _authenticationManager but now it is to be declared as a bean as follows to be injected within your implementation of AbstractAuthenticationProcessingFilter which was previously AbstractProcessingFilter.
    @Override
    @Bean (name ="authenticationManagerBean")
    public AuthenticationManager authenticationManagerBean() throws Exception {
        return super.authenticationManagerBean();
    }

P.S Please remember for migrations from 3 & below having xml based configuration to review your web.xml because the servlets and filter registrations is an important part and if it is not done as precise, you will find yourself debugging elsewhere and if HDIV is being used, please remove it and migrate it parallely and not together.

Related Questions in SPRING

Related Questions in SPRING-BOOT

Related Questions in FILTER

Related Questions in SPRING-SECURITY

Related Questions in HDIV

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Popular Questions

Copyright © 2021 Jogjafile Inc.