I use Spring Security 3.0.3.RELEASE. I would like to create a custom authentication processing filter.
I have created a filter like this:
// imports ommited
public class myFilter extends AbstractAuthenticationProcessingFilter {
@Override
public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException, IOException, Se开发者_JAVA百科rvletException {
// some code here
}
}
I configures my security.xml
in the following way:
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:beans="http://www.springframework.org/schema/beans"
xsi:schemaLocation="
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.0.xsd">
<http auto-config="true">
<!--<session-management session-fixation-protection="none"/>-->
<custom-filter ref="ipFilter" before="FORM_LOGIN_FILTER"/>
<intercept-url pattern="/login.jsp*" filters="none"/>
<intercept-url pattern="/**" access="ROLE_USER"/>
<form-login login-page="/login.jsp" always-use-default-target="true"/>
<logout logout-url="/logout" logout-success-url="/login.jsp" invalidate-session="true"/>
</http>
<beans:bean id="ipFilter" class="myFilter">
<beans:property name="authenticationManager" ref="authenticationManager"/>
</beans:bean>
<authentication-manager alias="authenticationManager" />
</beans:beans>
Everything seems to be right, but when I try to access to protected pages insted of myFilter.attemptAuthentication
called myFilter.doFilter
.
Any ideas why?
Of course servlet container calls MyFilter.doFilter
- after all, this is the entry point into the filter.
In your specific case, the servlet container is supposed to call doFilter()
on AbstractAuthenticationProcessingFilter, not on MyFilter
.
AbstractAuthenticationProcessingFilter.doFilter()
in turn is responsible for calling MyFilter.attemptAuthentication()
.
If that is not the case, maybe you overrode doFilter()
in MyFilter
? If yes, better remove that (or at least call super.doFilter()
). See JavaDocs of AbstractAuthenticationProcessingFilter for more details.
EDIT: MinimeDJ clarified that everything is as I am suggesting above. In that case, I suggest to check the value of filterProcessesUrl
property. From the JavaDocs:
This filter will intercept a request and attempt to perform authentication from that request if the request URL matches the value of the filterProcessesUrl property. This behaviour can modified by overriding the method requiresAuthentication.
So you can:
- either set the appropriate
filterProcessesUrl
value (usually something like/j_spring_security_check
) - or you can override
requiresAuthentication
method to always returntrue
.
If you are still having problems then I suggest you take a debugger and step through spring-security (and your) code to see where exactly the issue occurs.
精彩评论