3

I modified my applicationContext-security-preauth.xml with the goal of removing filters from a particular URL.

I'm having trouble with the spring-security-oauth filter, so I want to temporarily avoid using this filter for particular requests.

<intercept-url pattern="/notsecure/**" access="IS_AUTHENTICATED_ANONYMOUSLY"/>

After building and copying the new JAR, and then refreshing Tomcat, my /notsecure/ HTTP requests still hit this filter, according to my logs.

I would not have expected for any filter to be hit given my configuration change.

EDIT: I'm using Spring Security 2

Manuel Jordan
  • 15,253
  • 21
  • 95
  • 158
Kevin Meredith
  • 41,036
  • 63
  • 209
  • 384

1 Answers1

3

If you want to avoid hitting any filters for that URL you will need an additional <http> element like this:

<security:http pattern="/notsecure/**" security="none"/>

(This will work only with Spring Security 3.1+)

IS_AUTHENTICATED_ANONYMOUSLY requires that the request is anonymously authenticated which is done by a filter (namely the AnonymousAuthenticationFilter).

Manuel Jordan
  • 15,253
  • 21
  • 95
  • 158
zagyi
  • 17,223
  • 4
  • 51
  • 48
  • what are my options for SS 2? – Kevin Meredith Apr 19 '13 at 18:09
  • 1
    Sorry, I can't help with that. :( It's too old. – zagyi Apr 19 '13 at 18:11
  • Is it possible for me to simply do `return "Anonymous"` inside of my `getPreAuthenticatedPrincipal()` method under the right conditions, as well as update the intercept-url for `ROLE_ANONYMOUS`? Or is there more to do on the second step I mentioned? – Kevin Meredith Apr 19 '13 at 18:35
  • It seems that in version 2 the [`AnonymousProcessingFilter`](http://static.springsource.org/spring-security/site/docs/2.0.x/apidocs/org/springframework/security/providers/anonymous/AnonymousProcessingFilter.html) does the same thing as the `AnonymousAuthenticationFilter` in version 3. If you have that filter in the chain, and no other filters authenticate the request, then it'll be assigned an anon. auth. token. Then it should pass `IS_AUTHENTICATED_ANONYMOUSLY` with that. – zagyi Apr 19 '13 at 20:02
  • My log says `Granted Authorities: ROLE_ANONYMOUS` after running filter `AnonymousProcessingFilter`. However `step 9 of 11` in the filter chain runs through the filter, `org.springframework.security.oauth.provider.ProtectedResourceProcessingFilter`. Is there some way to specify not to do this particular filter? – Kevin Meredith Apr 19 '13 at 20:18
  • And does the `ProtectedResourceProcessingFilter` clear the authentication token? If so, I don't know what you could do, as in 2.x there can be only one filter chain AFAIK. – zagyi Apr 19 '13 at 20:26
  • Based on its source, http://tinyurl.com/bmnacp8, it looks like it gets the token from the SecurityContext, i.e. does not clear it (I believe). Anyway, I modified my `applicationContext-security-preauth.xml` to <..."/notsecure/**" filters="none"/>`, but logs show all of my filters were processed. I don't get it. – Kevin Meredith Apr 19 '13 at 20:52
  • The `filters` attribute is not available in the namespace schema in v2.x (http://static.springsource.org/spring-security/site/docs/2.0.x/reference/html/appendix-namespace.html#d4e3148). So which version do you use now? What about including the whole security config in your question? – zagyi Apr 19 '13 at 21:00
  • @zagyi It is actually, if you check [the schema](https://github.com/SpringSource/spring-security/blob/2.0.x/core/src/main/resources/org/springframework/security/config/spring-security-2.0.6.rnc#L263). It just probably wasn't properly documented back then. Version 2 is way past EOL though, so upgrading would be advised. – Shaun the Sheep Apr 20 '13 at 10:24
  • @LukeTaylor: Oops, sometimes I rely too much on docs... :) Kevin, sorry for the confusion. – zagyi Apr 20 '13 at 10:29