tags:

views:

31

answers:

1
Q: 

Spring Security 3.0: How do I specify URLs to which a custom filter applies?

I am using Spring Security 3.0 with JSPs. I have created a RequireVerificationFilter that redirects unverified users to a "verify your email" page.

I added the filter to the spring security filter stack in last place like so:

Bean definition in my app-config.xml:

<bean id="requireVerificationFilter" class="com.ebisent.web.RequireVerificationFilter" />

Filter added to spring security filter list in my security-config.xml:

<custom-filter ref="requireVerificationFilter" after="LAST" />

The filter works, but it filters its own redirect URL. That is, the filter redirects unverified users to /access/verify, but that URL is also caught by the filter, which attempts the redirect ad infinitum.

I tried using the <filter-mapping> tag to restrict the URLs this new filter applies to, but that does not seem to work the way I thought it would. Here is the web.xml entry I added anyway:

    <filter>
        <filter-name>requireVerificationFilter</filter-name>
        <filter-class>com.ebisent.web.RequireVerificationFilter</filter-class>
    </filter>
    <filter-mapping>
        <filter-name>requireVerificationFilter</filter-name>
        <url-pattern>/account/*</url-pattern>
    </filter-mapping>

I read through "Adding in Your Own Filters" in the spring security documention, but did not find an answer.

My question is, How can I specify which URLs my filter applies to?

UPDATE:

I got this working by specifying the URL to allow within the filter itself. This works fine for me, but if there is a better/more "springy" way to do it, I would be glad to hear it.

A: 

You have to do this inside the actual configuration xml (same place you have the <custom-filter ref="requireVerificationFilter" after="LAST" /> .

<http ...>
   <intercept-url pattern="/access" ... filters="..., requireVerificationFilter, ..." />
   <intercept-url pattern="/verify" ... filters="none" />
   ...
</http>

Something along those lines, you can specify a list of the filters you want to run and exclude those you don't (and "none" means none). You should not need to add tyour filter to the web.xml - only inline with the Spring Security filter chain.

Gandalf  2010-10-18 15:06:23
Thank you! I have intercept-url tags in my security config, but I didn't know you could specify filters there.
robert  2010-10-18 16:21:44

related questions

How can I share a variable or object between two or more Servlets?
debug JSP from eclipse
Are writes from within a Tomcat 6 CometProcessor non-blocking
Does Weblogic 9.x support the 2.4 Servlet standard?
How does debug level (0-99) in the Tomcat server.xml affect speed?
When do you use a JSP and when a Servlet?
How to choose the max thread count for an HTTP servlet container?
Creating a java servlet web application
Writing post data from one java servlet to another
Unit testing a java servlet
Measure Total Network Transfer Time from Servlets
Usable JSP/Servlet Hosting
How to avoid temporary file creation on server-side when pushing back full HTML content to clients?
servlet not in root application's servlet context
How to make embedded servlet engine instantiate servlets eagerly?
Java Servlet 404 errors
Can a servlet determine if the data posted to it is enctype="multipart/form-data"?
Write a Servlet that Talks to JMS (ActiveMQ) and OnMessage Update the Site
Accessing Tomcat Context Path from Servlet
Unit-testing servlets
Tomcat doFilter() invoked with committed response
Is there a way to access web.xml properties from a Java Bean?
Trouble using JRun to Host Java Servlets
Invalid <url-pattern> servlet mapping in tomcat 6.0
Accessing post variables using Java Servlets