-1

I'm facing some problems with spring security and spring boot here when adding some custom filters.

In my main class I have:

@ComponentScan
@SpringBootApplication    
@ImportResource("/applicationContext.xml")
public class Application {}

Also I removed the "spring-boot-starter-security" (I already tried with this dependency) dependency. I thought the problem was related to some automatic stuff from spring boot with spring security, so I tried to "disable" spring-security started by spring boot and configured security by myself, so I added expliclty the dependencies:

<dependency>
    <groupId>org.springframework.security</groupId>
    <artifactId>spring-security-acl</artifactId>
    <version>3.1.4.RELEASE</version>
</dependency>
<dependency>
    <groupId>org.springframework.security</groupId>
    <artifactId>spring-security-config</artifactId>
    <version>3.1.4.RELEASE</version>
</dependency>
<dependency>
    <groupId>org.springframework.security</groupId>
    <artifactId>spring-security-core</artifactId>
    <version>3.1.4.RELEASE</version>
</dependency>
<dependency>
    <groupId>org.springframework.security</groupId>
    <artifactId>spring-security-taglibs</artifactId>
    <version>3.1.4.RELEASE</version>
</dependency>
<dependency>
    <groupId>org.springframework.security</groupId>
    <artifactId>spring-security-web</artifactId>
    <version>3.1.4.RELEASE</version>
</dependency>

Then I have a filter which makes a custom authentication:

public class SSOProcessingFilter extends extends GenericFilterBean {}

Then in my applicationContext.xml I created a bean for this filter:

<bean id="ssoAuthenticationFilter" class="com.custom.security.filter.SSOProcessingFilter">
    <property name="authenticationManager" ref="authenticationManager"/>
</bean>

My problem happens when I try to remove security from an endpoint, for example:

<security:http pattern="/api/v1/health" security="none"/>

Once I started the application, It invokes the SSOProcessingFilter every time just by declaring the bean in the applicationContext.xml

I need that once a given endpoint is marked to not have security. this SSOProcessingFilter does not execute.

Do you know why spring boot is always executing this filter even for endpoints without security?

Thanks in advance

1 Answers1

0

Filters are applied according to their url patterns. By default subclasses of GenericFilterBean will have /* pattern. If you want to override this default behavior you have to register your filter manually with FilterRegistrationBean. On the other hand you can allow your authentication filter be hit at each request and let Spring access decision makers do their job. In this case the simplest configuration might look like the following:

<bean id="ssoFilter" class="com.custom.security.filter.SSOProcessingFilter"/>
<bean id="ssoEntryPoint" class="com.custom.security.SSOEntryPoint"/>

<http use-expressions="true" entry-point-ref="ssoEntryPoint">
    <intercept-url pattern="/api/v1/health" access="permitAll()"/>
    <intercept-url pattern="/**" access="isAuthenticated() and hasRole('ROLE_USER')"/>
    <custom-filter ref="ssoFilter" after="BASIC_AUTH_FILTER"/>
</http>

<authentication-manager>
    <authentication-provider>
        <user-service>
            <user name="user" password="secret" authorities="ROLE_USER"/>
        </user-service>
    </authentication-provider>
</authentication-manager>

SSOProcessingFilter will be invoked even if the user accesses /api/v1/health. As long as the request does not meet authentication requirements SSOProcessingFilter should ignore it and let it go throught the filter chain.

briarheart
  • 1,906
  • 2
  • 19
  • 33