Issues along migrating a comprehensive spring security xml based configuration (2.0.4) to java based configuration (4.2)

Question

In Spring security 2.0.4, the declaration was as follows and also the position of filters were declared in the individual bean declarations .....

Old Security.xml

<sec:http session-fixation-protection="migrateSession">
    <sec:intercept-url pattern="/login.hm*" filters="none" requires-channel="https" />
    <sec:intercept-url pattern="/services/**" filters="none" requires-channel="https"/>
    <sec:intercept-url pattern="/widget/**" filters="none" requires-channel="https" />
    <sec:intercept-url pattern="/istore/theme/**" filters="none" requires-channel="https"/>
    <sec:intercept-url pattern="/logout.hm*" filters="none" requires-channel="https" />
    <sec:intercept-url pattern="/mstore/theme/**" filters="none" requires-channel="https"/>
    <sec:intercept-url pattern="/istore/history*" access="ROLE_UU" requires-channel="https"/>
    <sec:intercept-url pattern="/istore/consumer_goods*" access="ROLE_UU" requires-channel="https"/>
    <sec:intercept-url pattern="/istore/electronics*" access="ROLE_UU" requires-channel="https"/>
    <sec:intercept-url pattern="/istore/accessories*" access="ROLE_UU" requires-channel="https"/>
    <sec:intercept-url pattern="/istore/reward_redemption*" access="ROLE_UU" requires-channel="https"/>
    <sec:intercept-url pattern="/istore/**" access="ROLE_UU,ROLE_SSS" requires-channel="https"/>
    <sec:form-login
            login-page="${login.url}"
            login-processing-url="${login.processing.url}"
            default-target-url="${setuppassword.page.url}"
            authentication-failure-url="${login.failure.url}" always-use-default-target="false" />
</sec:http>

Spring Security: how to exclude certain resources?

https://www.baeldung.com/security-none-filters-none-access-permitAll

The main issue is filters are not being excluded for certain URL patterns and not being set for others in a more precise way.

P.S. We also have HDIV which is also being migrated.

How do we configure filters and the chain order for specific URL's and ignore for some?
Is java based configuration better or XML?

Startup Logs

INFO 78928 --- [ost-startStop-1] o.s.b.w.servlet.FilterRegistrationBean   : Mapping filter: 'characterEncodingFilter' to: [/*]
INFO 78928 --- [ost-startStop-1] o.s.b.w.servlet.FilterRegistrationBean   : Mapping filter: 'hiddenHttpMethodFilter' to: [/*]
INFO 78928 --- [ost-startStop-1] o.s.b.w.servlet.FilterRegistrationBean   : Mapping filter: 'httpPutFormContentFilter' to: [/*]
INFO 78928 --- [ost-startStop-1] o.s.b.w.servlet.FilterRegistrationBean   : Mapping filter: 'requestContextFilter' to: [/*]
INFO 78928 --- [ost-startStop-1] o.s.b.w.servlet.FilterRegistrationBean   : Mapping filter: 'springSecurityFilterChain' to: [/*]
INFO 78928 --- [ost-startStop-1] o.s.b.w.servlet.FilterRegistrationBean   : Mapping filter: 'sitemesh' to urls: [*.hm]
INFO 78928 --- [ost-startStop-1] o.s.b.w.servlet.FilterRegistrationBean   : Mapping filter: 'CustomSecurityHeaderFilter' to urls: []
INFO 78928 --- [ost-startStop-1] o.s.b.w.servlet.FilterRegistrationBean   : Mapping filter: 'HttpOnlyCookieFilter' to urls: [*.hm]
INFO 78928 --- [ost-startStop-1] o.s.b.w.servlet.FilterRegistrationBean   : Mapping filter: 'ValidatorFilter' to urls: [*.hm]
INFO 78928 --- [ost-startStop-1] o.s.b.w.servlet.FilterRegistrationBean   : Mapping filter: 'org.springframework.security.filterChainProxy' to: [/*]
INFO 78928 --- [ost-startStop-1] o.s.b.w.servlet.FilterRegistrationBean   : Mapping filter:'org.springframework.security.web.access.intercept.FilterSecurityInterceptor#0' to: [/*]
INFO 78928 --- [ost-startStop-1] o.s.b.w.servlet.FilterRegistrationBean   : Mapping filter: 'org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter#0' to: [/*]
INFO 78928 --- [ost-startStop-1] o.s.b.w.servlet.FilterRegistrationBean   : Mapping filter: 'httpOnlyCookieFilter' to: [/*]
INFO 78928 --- [ost-startStop-1] o.s.b.w.servlet.FilterRegistrationBean   : Mapping filter: 'logoutFilter' to: [/*]
INFO 78928 --- [ost-startStop-1] o.s.b.w.servlet.FilterRegistrationBean   : Mapping filter: 'iStoreFilter' to: [/*]
INFO 78928 --- [ost-startStop-1] o.s.b.w.servlet.FilterRegistrationBean   : Mapping filter: 'loginFilter' to: [/*]
INFO 78928 --- [ost-startStop-1] o.s.b.w.servlet.FilterRegistrationBean   : Mapping filter: 'preLoginFilter' to: [/*]
INFO 78928 --- [ost-startStop-1] o.s.b.w.servlet.FilterRegistrationBean   : Mapping filter: '_formLoginFilter' to: [/*]

score 0 · Answer 1 · answered Apr 04 '20 at 06:36

I had previously asked the below question which was deleted because it was not focused, so requerying it to answer it myself because I feel it may be useful to others as well.

https://stackoverflow.com/questions/60221667/custom-filters-being-called-by-spring-and-mapped-to-even-after-specifying-se

For Spring security migration to versions 3 & above you can simply extend WebSecurityConfigurerAdapter and override the methods which uses a builder pattern for JAVA based configuration which is simpler, granular and easy,

The first one to add URL patterns with roles, authentication providers, authentication handlers (success/failure), logout, logout handlers, session management config, set of filters with defined positions etc.

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()
                .antMatchers("/istore/link.jsp").hasAnyAuthority("UU", "SSS")
                .antMatchers("/istore/**/*.jsp").hasAuthority("RESTRICT")
                .antMatchers("/mstore/**/*.jsp").hasAuthority("RESTRICT")
                .antMatchers("/istore/card*").hasAuthority("UU")
                .antMatchers("/istore/history*").hasAuthority("UU")
                .antMatchers("/istore/orders*").hasAuthority("UU")
                .antMatchers("/istore/consumer_goods*").hasAuthority("UU")
                .antMatchers("/istore/electronics*").hasAuthority("UU")
                .antMatchers("/istore/reward_redemption*").hasAuthority("UU")
                .antMatchers("/istore/accessories*").hasAuthority("UU")
                .antMatchers("/istore/privelege_card*").hasAuthority("UU")
                .antMatchers("/istore/profile*").hasAuthority("UU")
                .antMatchers("/istore/reward_redemption*").hasAuthority("UU")
                .antMatchers("/istore/addresses*").hasAuthority("UU")
                .antMatchers("/istore/**").hasAuthority("UU")
                .and()
                .formLogin()
                .loginPage("/login.hm")
                .failureUrl("/login.hm?err=1")
                .loginProcessingUrl("/istore_check.hm")
                .and()
                .authenticationProvider(authProvider)
                .logout()
                .and()
                .csrf().disable()
                .addFilterBefore(iStoreFilter, ChannelProcessingFilter.class)
                .addFilterAfter(loginFilter, BasicAuthenticationFilter.class)
                .addFilterAt(logoutFilter, org.springframework.security.web.authentication.logout.LogoutFilter.class)
                .addFilterAt(authenticationProcessingFilter, UsernamePasswordAuthenticationFilter.class)
                .sessionManagement().sessionFixation().migrateSession();
    }

The second one to ignore security filters within spring security filter chain for specific URL patterns.

    @Override
    public void configure(WebSecurity web) throws Exception {
        web.ignoring().antMatchers("/services/**")
                .antMatchers(HttpMethod.GET,"/monitor/health")
                .antMatchers(HttpMethod.GET,"/widget/**")
                .antMatchers(HttpMethod.GET,"/login.hm*")
                .antMatchers(HttpMethod.GET,"/istore/login.jsp")
                .antMatchers(HttpMethod.GET,"/istore/logout.jsp")
                .antMatchers(HttpMethod.GET,"/registration.hm*")
                .antMatchers(HttpMethod.GET,"/tnc.hm*")
                .antMatchers(HttpMethod.GET,"/istore/clicktochat/**")
                .antMatchers(HttpMethod.GET,"/logout.hm")
                .antMatchers(HttpMethod.GET,"/istore/theme/**")
                .antMatchers(HttpMethod.GET,"/mstore/theme/**")
                .antMatchers(HttpMethod.GET,"/js/**")
                .antMatchers(HttpMethod.GET,"/breeze/**")
                .antMatchers(HttpMethod.GET,"/resources/**")
                .antMatchers(HttpMethod.GET,"/crossdomain.xml")
    }

The third one is to make available the authentication manager bean which was previously available as _authenticationManager but now it is to be declared as a bean as follows to be injected within your implementation of AbstractAuthenticationProcessingFilter which was previously AbstractProcessingFilter.

    @Override
    @Bean (name ="authenticationManagerBean")
    public AuthenticationManager authenticationManagerBean() throws Exception {
        return super.authenticationManagerBean();
    }

P.S Please remember for migrations from 3 & below having xml based configuration to review your web.xml because the servlets and filter registrations is an important part and if it is not done as precise, you will find yourself debugging elsewhere and if HDIV is being used, please remove it and migrate it parallely and not together.

Issues along migrating a comprehensive spring security xml based configuration (2.0.4) to java based configuration (4.2)

1 Answers1