mercredi 29 juillet 2015

Spring Security custom fitler chain map

I am developing a spring web mvc application, which makes use of spring security. For my application I found that the standard authorization process does not fit my needs. To continue development I have created some custom spring security classes, and augmented my spring-security.xml

Everything is going fine, except when trying to use the <security:filter-chain-map> I receive a dependency error that I can't seem to resolve.

The classes from the spring-security-web jar (or one of its dependencies) are not available. You need these to use <filter-chain-map>

The most common solutions found on stackoverflow included adding javax.servlet api jar, and the jstl-1.2 jar. I have had those already. This is killing me. I've been adding different jars in-and-out and it's not comming together.

I have found this http://ift.tt/1OPddE4 but I'm not sure I understand the answer.

dependencies

<dependencies>
    <!-- spring -->
    <dependency>
        <groupId>org.springframework</groupId>
        <artifactId>spring-core</artifactId>
        <version>${spring.version}</version>
        <exclusions>
            <!-- exclude commons-logging in favor of slf4j and logback -->
            <exclusion>
                <groupId>commons-logging</groupId>
                <artifactId>commons-logging</artifactId>
            </exclusion>
        </exclusions>
    </dependency>
    <dependency>
        <groupId>org.springframework</groupId>
        <artifactId>spring-web</artifactId>
        <version>${spring.version}</version>
    </dependency>
    <dependency>
        <groupId>org.springframework</groupId>
        <artifactId>spring-webmvc</artifactId>
        <version>${spring.version}</version>
    </dependency>
    <dependency>
        <groupId>org.springframework.security</groupId>
        <artifactId>spring-security-core</artifactId>
        <version>${spring.security.version}</version>
    </dependency>
    <dependency>
        <groupId>org.springframework.security</groupId>
        <artifactId>spring-security-web</artifactId>
        <version>${spring.security.version}</version>
    </dependency>
    <dependency>
        <groupId>org.springframework.security</groupId>
        <artifactId>spring-security-config</artifactId>
        <version>${spring.security.version}</version>
    </dependency>
    <dependency>
        <groupId>org.springframework.security</groupId>
        <artifactId>spring-security-taglibs</artifactId>
        <version>${spring.security.version}</version>
    </dependency>
    <dependency>
        <groupId>org.springframework</groupId>
        <artifactId>spring-test</artifactId>
        <version>${spring.version}</version>
    </dependency>

    <!-- aop -->
    <dependency>
        <groupId>org.aspectj</groupId>
        <artifactId>aspectjrt</artifactId>
        <version>1.8.6</version>
    </dependency>
    <dependency>
        <groupId>org.aspectj</groupId>
        <artifactId>aspectjweaver</artifactId>
        <version>1.8.6</version>
    </dependency>

    <!-- thymeleaf -->
    <dependency>
        <groupId>org.thymeleaf</groupId>
        <artifactId>thymeleaf-spring4</artifactId>
        <version>2.1.4.RELEASE</version>
    </dependency>
    <dependency>
        <groupId>org.thymeleaf.extras</groupId>
        <artifactId>thymeleaf-extras-tiles2-spring4</artifactId>
        <version>2.1.1.RELEASE</version>
    </dependency>

    <!-- j2ee -->
    <dependency>
        <groupId>javax.servlet</groupId>
        <artifactId>javax.servlet-api</artifactId>
        <version>3.1.0</version>
        <scope>provided</scope>
    </dependency>
    <dependency>
        <groupId>javax.servlet</groupId>
        <artifactId>jstl</artifactId>
        <version>1.2</version>
        <scope>provided</scope>
    </dependency>

spring-security.xml

<!-- config -->
<security:http pattern="/css/**" security="none"/>
<security:http pattern="/js/**" security="none"/>
<security:http pattern="/img/**" security="none"/>

<!-- custom security chain filter -->
<security:filter-chain-map>
    <security:filter-chain pattern="/**"
        filters="
            ConcurrentSessionFilterAdmin, 
            securityContextPersistenceFilter, 
            logoutFilterAdmin, 
            basicAuthenticationFilterAdmin, 
            requestCacheAwareFilter, 
            securityContextHolderAwareRequestFilter, 
            anonymousAuthenticationFilter, 
            sessionManagementFilterAdmin, 
            exceptionTranslationFilter, 
            filterSecurityInterceptorAdmin
            springSecurityFilterChain"
    />
</security:filter-chain-map>

<!-- user roles security -->
<security:http auto-config="true" use-expressions="true">
    <security:intercept-url pattern="/user/**" access="hasRole('USER_ROLE')"/>
    <security:intercept-url pattern="/oauth/callback**" access="permitAll"/>
    <security:access-denied-handler error-page="/"/>
    <security:form-login login-page="/"/>
    <security:session-management invalid-session-url="/"/>
    <security:csrf/>
</security:http>

<!-- spring security config -->
<security:authentication-manager id="authManager">
    <security:authentication-provider user-service-ref="PUEUserDetailsService"/>
</security:authentication-manager>

<!-- method security -->
<bean id="pueMethodSecurity" class="org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor">
    <property name="authenticationManager" ref="authManager"/>
    <property name="securityMetadataSource">
        <!-- method security -->
        <security:method-security-metadata-source>
            <security:protect access="permitAll" method="abnd.pue.controller.UserController.index*"/>
            <security:protect access="USER_ROLE" method="abnd.pue.controller.UserController.user*"/>
        </security:method-security-metadata-source>
    </property>
</bean>

relevant web.xml

<!-- spring security filter -->
<filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>abnd.pue.auth.PUEUsernameAuthFilterAdmin</filter-class>
</filter>
<filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

Aucun commentaire:

Enregistrer un commentaire