springmodel-view-controllerspring-securityurlrewriter

cannot use spring security within url rewrite tucky


I am using Spring mvc within url rewrite tucky to have extension less Urls. All is working fine but I recently have a problem to handle /j_spring_security_check post. here are my config files

urlrewrite.xml

<rule>
   <from>/$</from>
   <to type="forward">home</to>
</rule>
<rule>
   <from>/signup$</from>
   <to type="forward">/signup</to>
</rule>
<rule>
    <from>/j_spring_security_check(\?.*)</from>
    <to last="true">/j_spring_security_check$1</to>
</rule> 
<rule>
    <from>/logout(\?.*)</from>
    <to last="true">/logout$1</to>
</rule> 
<rule>
    <from>^([^?]*)/([^?/\.]+)(\?.*)?$</from>
    <to last="true">$1/$2.htm$3</to>
</rule>
<outbound-rule>
    <from>^(.*)\.htm(\?.*)?$</from>
    <to last="false">$1$2</to>
</outbound-rule>

spring security `

<!-- This is where we configure Spring-Security -->
<security:http auto-config="true" use-expressions="true" access-denied-page="/denied.htm">
    <security:intercept-url pattern="/**"  access="permitAll" />
    <security:intercept-url pattern="/admin/**"  access="hasRole('ROLE_ADMIN')" />
    <security:intercept-url pattern="/user" access="hasRole('ROLE_USER')" />
    <security:form-login login-page="/signup" authentication-failure-url="/signup?error=authenticate" default-target-url="/" />
    <security:logout invalidate-session="true" logout-success-url="/" logout-url="/logout" />
    <security:remember-me key="springRocks" user-service-ref="userDetailsService"/>
</security:http>


<!-- Declare an authentication-manager to use a custom userDetailsService -->
<security:authentication-manager>
    <security:authentication-provider user-service-ref="userDetailsService">
        <security:password-encoder ref="passwordEncoder" />
    </security:authentication-provider>
</security:authentication-manager>

<!-- Use a Md5 encoder since the user's passwords are stored as Md5 in the 
    database -->
<bean
    class="org.springframework.security.authentication.encoding.Md5PasswordEncoder" id="passwordEncoder" />

<bean id="userDaoService" class="com.dolo.dao.jdbc.JdbcUserDao">
    <property name="dataSource" ref="dataSource" />
</bean>

<bean id="userDetailsService" class="com.dolo.services.impl.UserServiceImpl">
</bean>

<bean id="userDetails" class="com.dolo.model.User">
</bean> 

`

web.xml

      <servlet>
<servlet-name>dolo</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<init-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>
        </param-value>
    </init-param>
<load-on-startup>1</load-on-startup>

...

<servlet-mapping>
<servlet-name>dolo</servlet-name>
<url-pattern>*.htm</url-pattern>

...

<filter>
    <filter-name>UrlRewriteFilter</filter-name>
    <filter-class>org.tuckey.web.filters.urlrewrite.UrlRewriteFilter</filter-class>
</filter>
<filter-mapping>
    <filter-name>UrlRewriteFilter</filter-name>
    <url-pattern>/*</url-pattern>
    <dispatcher>REQUEST</dispatcher>
    <dispatcher>FORWARD</dispatcher>
</filter-mapping>

....

  <filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>

....

  <filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
<dispatcher>FORWARD</dispatcher>
<dispatcher>INCLUDE</dispatcher>
<dispatcher>ERROR</dispatcher>


Solution

  • Both can work together without any problem

    <filter-mapping> declaration for springSecurityFilterChain should be done before UrlRewriteFilter one. Once that is done, you don't need any rewrite rule for j_spring_security_check.