You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Ashish Jain <as...@gmail.com> on 2010/07/15 10:08:59 UTC
Spring security configuration in web.xml results in 403 error
Hi,
I have an application which uses non interactive login and hence utilizes
NONLogin Authenticator in tomcat. Here is a snippet from web.xml.
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/applicationContext-security.xml</param-value>
</context-param>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<login-config>
<auth-method>NONE</auth-method>
<realm-name>cas-authorize</realm-name>
</login-config>
<security-constraint>
<web-resource-collection>
<web-resource-name>Protect JSPs</web-resource-name>
<url-pattern>*.jsp</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>testUsers</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<role-name>testUsers</role-name>
</security-role>
however I see that container security is invoked before any spring related
stuff. Since it is a Non interactive login Subject is not populated with any
principals
and hence tomcat is unable to authorize the access to resource. My Question
is
How can I revert the security mechanism so that Spring security is invoked
before tomcat security.
Thanks
Ashish
Re: Spring security configuration in web.xml results in 403 error
Posted by André Warnier <aw...@ice-sa.com>.
Ashish Jain wrote:
> any takers for this Q???
>
> On Thu, Jul 15, 2010 at 1:38 PM, Ashish Jain <as...@gmail.com> wrote:
>
>> Hi,
>>
>> I have an application which uses non interactive login and hence utilizes
>> NONLogin Authenticator in tomcat. Here is a snippet from web.xml.
>>
>> <context-param>
>> <param-name>contextConfigLocation</param-name>
>> <param-value>/WEB-INF/applicationContext-security.xml</param-value>
>> </context-param>
>>
>> <filter>
>> <filter-name>springSecurityFilterChain</filter-name>
>>
>> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
>> </filter>
>>
>> <filter-mapping>
>> <filter-name>springSecurityFilterChain</filter-name>
>> <url-pattern>/*</url-pattern>
>> </filter-mapping>
>>
>> <listener>
>>
>> <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
>> </listener>
>>
>> <login-config>
>> <auth-method>NONE</auth-method>
>> <realm-name>cas-authorize</realm-name>
>> </login-config>
>>
>> <security-constraint>
>> <web-resource-collection>
>> <web-resource-name>Protect JSPs</web-resource-name>
>> <url-pattern>*.jsp</url-pattern>
>> </web-resource-collection>
>> <auth-constraint>
>> <role-name>testUsers</role-name>
>> </auth-constraint>
>> </security-constraint>
>>
>> <security-role>
>> <role-name>testUsers</role-name>
>> </security-role>
>>
>> however I see that container security is invoked before any spring related
>> stuff.
Exactly. It is not specific to to spring. The container security is invoked before even
invoking the application, of which servlet filters are the first layer.
Since it is a Non interactive login Subject is not populated with any
>> principals
>> and hence tomcat is unable to authorize the access to resource. My Question
>> is
>>
>> How can I revert the security mechanism so that Spring security is invoked
>> before tomcat security.
>>
I don't think you can. As they say in French, you can't have at the same time the butter,
and the money of the butter.
If you want your first filter to be called in order to authenticate the user, then you'll
have to remove the container security, and do your own security check in a second filter,
invoked after the filter you already have has set the user-id.
Alternatively (but I don't know that part very well, so don't take my word for it), you
would have to remove your first filter, and use/create a Realm which authenticates the
user, which container-based security could then use.
See the standard
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/>
for an example.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Spring security configuration in web.xml results in 403 error
Posted by Ashish Jain <as...@gmail.com>.
any takers for this Q???
On Thu, Jul 15, 2010 at 1:38 PM, Ashish Jain <as...@gmail.com> wrote:
> Hi,
>
> I have an application which uses non interactive login and hence utilizes
> NONLogin Authenticator in tomcat. Here is a snippet from web.xml.
>
> <context-param>
> <param-name>contextConfigLocation</param-name>
> <param-value>/WEB-INF/applicationContext-security.xml</param-value>
> </context-param>
>
> <filter>
> <filter-name>springSecurityFilterChain</filter-name>
>
> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
> </filter>
>
> <filter-mapping>
> <filter-name>springSecurityFilterChain</filter-name>
> <url-pattern>/*</url-pattern>
> </filter-mapping>
>
> <listener>
>
> <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
> </listener>
>
> <login-config>
> <auth-method>NONE</auth-method>
> <realm-name>cas-authorize</realm-name>
> </login-config>
>
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>Protect JSPs</web-resource-name>
> <url-pattern>*.jsp</url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <role-name>testUsers</role-name>
> </auth-constraint>
> </security-constraint>
>
> <security-role>
> <role-name>testUsers</role-name>
> </security-role>
>
> however I see that container security is invoked before any spring related
> stuff. Since it is a Non interactive login Subject is not populated with any
> principals
> and hence tomcat is unable to authorize the access to resource. My Question
> is
>
> How can I revert the security mechanism so that Spring security is invoked
> before tomcat security.
>
> Thanks
> Ashish
>