views:

231

answers:

1

Hello, I have configured my web application with the following config file:

 <beans xmlns="http://www.springframework.org/schema/beans" xmlns:security="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
    http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd"&gt;

<security:global-method-security secured-annotations="enabled" pre-post-annotations="enabled" />

<!--
    Filter chain; this is referred to from the web.xml file. Each filter
    is defined and configured as a bean later on.
-->
<!-- Note: anonumousProcessingFilter removed. -->
<bean id="filterChainProxy" class="org.springframework.security.web.FilterChainProxy">
    <security:filter-chain-map path-type="ant">
        <security:filter-chain pattern="/**"
            filters="securityContextPersistenceFilter,
                basicAuthenticationFilter,
                exceptionTranslationFilter,
                filterSecurityInterceptor" />
    </security:filter-chain-map>
</bean>

<!--
    This filter is responsible for session management, or rather the lack
    thereof.
-->
<bean id="securityContextPersistenceFilter" class="org.springframework.security.web.context.SecurityContextPersistenceFilter">
    <property name="securityContextRepository">
        <bean class="org.springframework.security.web.context.HttpSessionSecurityContextRepository">
            <property name="allowSessionCreation" value="false" />
        </bean>
    </property>
</bean>

<!-- Basic authentication filter. -->
<bean id="basicAuthenticationFilter" class="org.springframework.security.web.authentication.www.BasicAuthenticationFilter">
    <property name="authenticationManager" ref="authenticationManager" />
    <property name="authenticationEntryPoint" ref="authenticationEntryPoint" />
</bean>

<!-- Basic authentication entry point. -->
<bean id="authenticationEntryPoint" class="org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint">
    <property name="realmName" value="Ayudo Web Service" />
</bean>

<!--
    An anonymous authentication filter, which is chained after the normal authentication mechanisms and automatically adds an
    AnonymousAuthenticationToken to the SecurityContextHolder if there is no existing Authentication held there.
-->
<!--
    <bean id="anonymousProcessingFilter" class="org.springframework.security.web.authentication.AnonymousProcessingFilter">
    <property name="key" value="ayudo" /> <property name="userAttribute" value="anonymousUser, ROLE_ANONYMOUS" /> </bean>
-->

<!--
    Authentication manager that chains our main authentication provider
    and anonymous authentication provider.
-->
<bean id="authenticationManager" class="org.springframework.security.authentication.ProviderManager">
    <property name="providers">
        <list>
            <ref local="daoAuthenticationProvider" />
            <ref local="inMemoryAuthenticationProvider" />
            <!-- <ref local="anonymousAuthenticationProvider" /> -->
        </list>
    </property>
</bean>

<!--
    Main authentication provider; in this case, memory implementation.
-->
<bean id="inMemoryAuthenticationProvider" class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
    <property name="userDetailsService" ref="propertiesUserDetails" />
</bean>

<security:user-service id="propertiesUserDetails" properties="classpath:operators.properties" />

<!-- Main authentication provider. -->
<bean id="daoAuthenticationProvider" class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
    <property name="userDetailsService" ref="userDetailsService" />
</bean>

<!--
    An anonymous authentication provider which is chained into the ProviderManager so that AnonymousAuthenticationTokens are
    accepted.
-->
<!--
    <bean id="anonymousAuthenticationProvider" class="org.springframework.security.authentication.AnonymousAuthenticationProvider">
    <property name="key" value="ayudo" /> </bean>
-->

<bean id="userDetailsService" class="org.springframework.security.core.userdetails.jdbc.JdbcDaoImpl">
    <property name="dataSource" ref="dataSource" />
</bean>

<bean id="exceptionTranslationFilter" class="org.springframework.security.web.access.ExceptionTranslationFilter">
    <property name="authenticationEntryPoint" ref="authenticationEntryPoint" />
    <property name="accessDeniedHandler">
        <bean class="org.springframework.security.web.access.AccessDeniedHandlerImpl" />
    </property>
</bean>

<bean id="filterSecurityInterceptor" class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor">
    <property name="securityMetadataSource">
        <security:filter-security-metadata-source use-expressions="true">
            <security:intercept-url pattern="/*.html" access="permitAll" />
            <security:intercept-url pattern="/version" access="permitAll" />
            <security:intercept-url pattern="/users/activate" access="permitAll" />
            <security:intercept-url pattern="/**" access="isAuthenticated()" />
        </security:filter-security-metadata-source>
    </property>
    <property name="authenticationManager" ref="authenticationManager" />
    <property name="accessDecisionManager" ref="accessDecisionManager" />
</bean>

<bean id="accessDecisionManager" class="org.springframework.security.access.vote.AffirmativeBased">
    <property name="decisionVoters">
        <list>
            <bean class="org.springframework.security.access.vote.RoleVoter" />
            <bean class="org.springframework.security.web.access.expression.WebExpressionVoter" />
        </list>
    </property>
</bean>

As soon as I run my application on tomcat, I get a request for username/password basic authentication dialog. Even when I try to access: localhost:8080/myapp/version, which is explicitly set to permitAll, I get the authentication request dialog. Help!

Thank, Sammy

A: 

You have the basicAuthenticationFilter in your filter chain therefor it's going to try to authenticate a user. The permitAll will allow any user, but the request still needs to have a user in the SecurityContext (retrieved from your UserDetailsService).

If you want those URI's to allow all access (even without authenticating a user) then do this:

<intercept-url pattern="/version" filters="none"/>
Gandalf
I understand, thank you. Well in that case, which is better: to put back the anonymous authentication filter, or to modify the filter-chain ant pattern to exclude those urls?So if I understand correctly, the permitAll is simply for authorization purposes. Am I ok in putting the @secure tags on my service layer methods and that's it?
Sammy
Added more to my answer - I think it's what you are looking for.
Gandalf
Actually, I tried that... I get: Configuration problem: The attribute 'filters' isn't allowed here.
Sammy

related questions