tags:

views:

2539

answers:

3
Q: 

Why is my (Spring Security) servlet filter getting called twice?

Any ideas about why doFilterHttp in my SpringSecurityFilter subclass is getting called twice on each request? I don't really know where to start looking. Feeling a little stumped.

I'm reverse engineering a vacationing co-worker's code. To the best I can figure it, here's the relevant configuration:

in web.xml:

<filter>
 <filter-name>userSecurityFilter</filter-name>
 <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
 <filter-name>userSecurityFilter</filter-name>
 <url-pattern>*.do</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>userSecurityFilter</filter-name>
<url-pattern>/json/*</url-pattern>

In spring-security.xml:

 <!-- Create the filter chains for developers, users and services -->
 <bean id="userSecurityFilter" class="org.springframework.security.util.FilterChainProxy">
  <security:filter-chain-map path-type="ant">
     <security:filter-chain pattern="/**/json/*"     filters="AuthFilter,anonymousProcessingFilter,exceptionTranslationFilter,filterInvocationInterceptor"/>
     <security:filter-chain pattern="/**/*.do"       filters="AuthFilter,anonymousProcessingFilter,exceptionTranslationFilter,filterInvocationInterceptor"/>
     <security:filter-chain pattern="/**"            filters="anonymousProcessingFilter,logoutFilter,exceptionTranslationFilter,filterInvocationInterceptor"/>
  </security:filter-chain-map>
</bean>

It looks like the /*/json/ urls are getting the filter chain applied twice, while others only get it once. I'm going to go back and check to make sure what I just said is really true.

A: 

Not much to go on here, but it may be that servlet container is processing several dispatchers, look in web.xml for:

<filter-mapping>
    <filter-name>securityFilter</filter-name>
    <url-pattern>/*</url-pattern>
    <!-- the following is optional, but some containers give the wrong default -->
    <dispatcher>REQUEST</dispatcher>
</filter-mapping>

Can you post the filter-mapping from your web.xml?

Gareth Davis  2009-05-04 20:20:02
gid, thanks for the response. The filter mapping isn't straightforward. My filter (actually my co-worker's -- he's on vacation, hence my lost-ness :) ) seems to be added via some spring magic, perhaps initiated via <filter> <filter-name>userSecurityFilter</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> </filter>
morgancodes  2009-05-04 20:28:25
I'll look at this more and come back when I have some better questions.
morgancodes  2009-05-04 20:28:51
A: 

Spring Security filters are not configured in the web.xml like classic Servlet Filters. They are instead configured somewhere in the application-context.xml (or whatever .xml configuration files you import in your web.xml).

Look for beans with a tag like this :

<custom-filter position="LAST" />

adding that tag to a bean will add it to your Spring Security filter chain. My guess is that it's added to the chain properly and also added as a Servlet Filter as shown above. Hence it's actually configured twice.

Gandalf  2009-05-05 22:16:27
A: 

Ok, fixed it I think. 

<filter-mapping>
        <filter-name>userSecurityFilter</filter-name>
        <url-pattern>*.do</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>userSecurityFilter</filter-name>
<url-pattern>/json/*</url-pattern>

There are urls under /json/ that end in ".do", so those urls were getting all of the Spring Security stuff applied twice. Thanks for the responses! Even though it was a dumb problem and I answered it myself, working through the reponses led me to the answer. Much appreciated.

morgancodes  2009-05-07 20:02:35

related questions

urlrewritefilter problem with velocity template rendering
Init method invocation in filter
Spring MVC and parsing HTML
Is doFilter() executed before or after the Servlet's work is done?
How can I get the HTTP status code out of a ServletResponse in a ServletFilter?
How do you introspect web.xml from a servlet?
Filters Help - Getting 2 filters to work with each other.
J2EE Filters not able to get cookies?
Enabling browser caching via java
Java Servlet: pass a request back to default processing.
Is it possible to write a servlet filter to take inspect HTTP response codes?
Handling 'session expired' in JSF web application, running in JBoss AS 5
How to redirect to Login page when Session is expired in Java web application?
Configuring javax.servlet.Filter and javax.xml.rpc.handler.GenericHandler at server level
ThreadLocal + java.sql.Connection + servlet filter = 2009?
Is it possible to use wildcards within J2EE - fitlers?
Servlet Filters and the OSGi HttpService
How to get POST URL with parameters from HttpServletReqest in ServletFilter? (For proxy app)
Servlet Filter: Socket need to be referenced in doFilter()
Java servlet filter not working on login
How to remove pre-defined characters from user input in a J2EE web application?
Issue opening Excel documents with Internet Explorer
Override getContextPath in an HttpServletRequest (for URL rewriting)
Handling context-path refs when migrating "/" site to Java EE packaging