views:

2539

answers:

3

Any ideas about why doFilterHttp in my SpringSecurityFilter subclass is getting called twice on each request? I don't really know where to start looking. Feeling a little stumped.

I'm reverse engineering a vacationing co-worker's code. To the best I can figure it, here's the relevant configuration:

in web.xml:

<filter>
 <filter-name>userSecurityFilter</filter-name>
 <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
 <filter-name>userSecurityFilter</filter-name>
 <url-pattern>*.do</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>userSecurityFilter</filter-name>
<url-pattern>/json/*</url-pattern>

In spring-security.xml:

 <!-- Create the filter chains for developers, users and services -->
 <bean id="userSecurityFilter" class="org.springframework.security.util.FilterChainProxy">
  <security:filter-chain-map path-type="ant">
     <security:filter-chain pattern="/**/json/*"     filters="AuthFilter,anonymousProcessingFilter,exceptionTranslationFilter,filterInvocationInterceptor"/>
     <security:filter-chain pattern="/**/*.do"       filters="AuthFilter,anonymousProcessingFilter,exceptionTranslationFilter,filterInvocationInterceptor"/>
     <security:filter-chain pattern="/**"            filters="anonymousProcessingFilter,logoutFilter,exceptionTranslationFilter,filterInvocationInterceptor"/>
  </security:filter-chain-map>
</bean>

It looks like the /*/json/ urls are getting the filter chain applied twice, while others only get it once. I'm going to go back and check to make sure what I just said is really true.

A: 

Not much to go on here, but it may be that servlet container is processing several dispatchers, look in web.xml for:

<filter-mapping>
    <filter-name>securityFilter</filter-name>
    <url-pattern>/*</url-pattern>
    <!-- the following is optional, but some containers give the wrong default -->
    <dispatcher>REQUEST</dispatcher>
</filter-mapping>

Can you post the filter-mapping from your web.xml?

Gareth Davis
gid, thanks for the response. The filter mapping isn't straightforward. My filter (actually my co-worker's -- he's on vacation, hence my lost-ness :) ) seems to be added via some spring magic, perhaps initiated via <filter> <filter-name>userSecurityFilter</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> </filter>
morgancodes
I'll look at this more and come back when I have some better questions.
morgancodes
A: 

Spring Security filters are not configured in the web.xml like classic Servlet Filters. They are instead configured somewhere in the application-context.xml (or whatever .xml configuration files you import in your web.xml).

Look for beans with a tag like this :

<custom-filter position="LAST" />

adding that tag to a bean will add it to your Spring Security filter chain. My guess is that it's added to the chain properly and also added as a Servlet Filter as shown above. Hence it's actually configured twice.

Gandalf
A: 

Ok, fixed it I think.

<filter-mapping>
        <filter-name>userSecurityFilter</filter-name>
        <url-pattern>*.do</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>userSecurityFilter</filter-name>
<url-pattern>/json/*</url-pattern>

There are urls under /json/ that end in ".do", so those urls were getting all of the Spring Security stuff applied twice. Thanks for the responses! Even though it was a dumb problem and I answered it myself, working through the reponses led me to the answer. Much appreciated.

morgancodes