Home > Enterprise >  Jersey filter servlet container ignores spring security filter chain
Jersey filter servlet container ignores spring security filter chain

Time:02-16

i am trying to deploy my spring application and it does deploy fine but the requests are not being intercepted by the spring security filter, if I use a < servlet > it works perfectly but when i switch to a < filter > it suddenly stops working, here's my web.xml:

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://java.sun.com/xml/ns/javaee"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
         version="3.0">
    <display-name>Campus</display-name>
    <context-param>
        <param-name>contextClass</param-name>
        <param-value>org.springframework.web.context.support.AnnotationConfigWebApplicationContext</param-value>
    </context-param>

    <context-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>
            ar.com.campus.config.WebConfig,
            ar.com.campus.security.config.WebSecurityConfig
        </param-value>
    </context-param>

    <listener>
        <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
    </listener>

    <listener>
        <listener-class>org.springframework.web.context.request.RequestContextListener</listener-class>
    </listener>


    <filter>
        <filter-name>jersey</filter-name>
        <filter-class>org.glassfish.jersey.servlet.ServletContainer</filter-class>
        <init-param>
            <param-name>jersey.config.server.provider.packages</param-name>
            <param-value>
                ar.com.campus.controllers,
                ar.com.campus.security.api.exceptionmapper
            </param-value>
        </init-param>
        <init-param>
            <param-name>jersey.config.servlet.filter.contextPath</param-name>
            <param-value>/</param-value>
        </init-param>
        <init-param>
            <param-name>jersey.config.server.provider.classnames</param-name>
            <param-value>
                org.glassfish.jersey.media.multipart.MultiPartFeature,
                org.glassfish.jersey.tests.integration.servlettests.FilterForwardOn404Resource
            </param-value>
        </init-param>
        <init-param>
            <param-name>jersey.config.servlet.filter.forwardOn404</param-name>
            <param-value>true</param-value>
        </init-param>
    </filter>

    <filter-mapping>
        <filter-name>jersey</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>

    <filter>
        <filter-name>springSecurityFilterChain</filter-name>
        <filter-class>
            org.springframework.web.filter.DelegatingFilterProxy
        </filter-class>
    </filter>
    <filter-mapping>
        <filter-name>springSecurityFilterChain</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>

</web-app>

Looking at my logs the filter seems to get initialized:

02:38:50.762 [RMI TCP Connection(3)-127.0.0.1] DEBUG o.s.web.filter.DelegatingFilterProxy - Initializing filter 'springSecurityFilterChain'
02:38:50.763 [RMI TCP Connection(3)-127.0.0.1] DEBUG o.s.b.f.s.DefaultListableBeanFactory - Returning cached instance of singleton bean 'springSecurityFilterChain'
02:38:50.763 [RMI TCP Connection(3)-127.0.0.1] DEBUG o.s.web.filter.DelegatingFilterProxy - Filter 'springSecurityFilterChain' configured successfully

but when i make a request to any mapping endpoint i have it does not go through the spring security filter, here's my WebSecurityConfig:

@Configuration
@EnableWebSecurity
@ComponentScan({"ar.com.campus.security" })
@PropertySource(value= {"classpath:application.properties"})
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
   ...
   ...
    @Override
    protected void configure(final HttpSecurity http) throws Exception {
        CharacterEncodingFilter filter = new CharacterEncodingFilter();
        filter.setEncoding("UTF-8");
        filter.setForceEncoding(true);
        http
            .cors()
                .and()
            .csrf()
                .disable()
            .and()
                .sessionManagement()
                    .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
            .and()
                .authorizeRequests()
                    .antMatchers(HttpMethod.GET, API_PREFIX   "/user").hasAuthority("USER")
                    .antMatchers("/**").permitAll();
    }

    @Bean
    public CorsConfigurationSource corsConfigurationSource() {
        CorsConfiguration configuration = new CorsConfiguration();
        configuration.setAllowedOrigins(Collections.singletonList("*"));
        configuration.setAllowedMethods(Arrays.asList("GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS"));
        configuration.setAllowedHeaders(Arrays.asList("authorization", "content-type", "x-auth-token"));
        configuration.setExposedHeaders(Arrays.asList("x-auth-token", "authorization", "X-Total-Pages", "Content-Disposition"));
        UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
        source.registerCorsConfiguration("/**", configuration);
        return source;
    }

    @Override
    public void configure(final WebSecurity web) {
        web
           .ignoring()
                .antMatchers("/");
    }
}

CodePudding user response:

Filters are executed in order they are defined. Which is the order the filter-mapping are defined. In your case you defined the jersey filter before the securityFilterChain.

If you switch the order the securityFilterChain would be invoked first.

  • Related