tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier>
Subject Re: Spring security configuration in web.xml results in 403 error
Date Fri, 23 Jul 2010 07:25:56 GMT
Ashish Jain wrote:
> any takers for this Q???
> On Thu, Jul 15, 2010 at 1:38 PM, Ashish Jain <> wrote:
>> Hi,
>> I have an application which uses non interactive login and hence utilizes
>> NONLogin Authenticator in tomcat. Here is a snippet from web.xml.
>> <context-param>
>>         <param-name>contextConfigLocation</param-name>
>>         <param-value>/WEB-INF/applicationContext-security.xml</param-value>
>>     </context-param>
>>     <filter>
>>         <filter-name>springSecurityFilterChain</filter-name>
>> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
>>     </filter>
>>     <filter-mapping>
>>         <filter-name>springSecurityFilterChain</filter-name>
>>         <url-pattern>/*</url-pattern>
>>     </filter-mapping>
>>     <listener>
>> <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
>>     </listener>
>> <login-config>
>>        <auth-method>NONE</auth-method>
>>        <realm-name>cas-authorize</realm-name>
>>     </login-config>
>> <security-constraint>
>>         <web-resource-collection>
>>             <web-resource-name>Protect JSPs</web-resource-name>
>>             <url-pattern>*.jsp</url-pattern>
>>             </web-resource-collection>
>>         <auth-constraint>
>>             <role-name>testUsers</role-name>
>>         </auth-constraint>
>>     </security-constraint>
>>     <security-role>
>>         <role-name>testUsers</role-name>
>>     </security-role>
>> however I see that container security is invoked before any spring related
>> stuff. 

Exactly.  It is not specific to to spring.  The container security is invoked before even

invoking the application, of which servlet filters are the first layer.

Since it is a Non interactive login Subject is not populated with any
>> principals
>> and hence tomcat is unable to authorize the access to resource. My Question
>> is
>> How can I revert the security mechanism so that Spring security is invoked
>> before tomcat security.

I don't think you can.  As they say in French, you can't have at the same time the butter,

and the money of the butter.

If you want your first filter to be called in order to authenticate the user, then you'll

have to remove the container security, and do your own security check in a second filter,

invoked after the filter you already have has set the user-id.

Alternatively (but I don't know that part very well, so don't take my word for it), you 
would have to remove your first filter, and use/create a Realm which authenticates the 
user, which container-based security could then use.
See the standard
       <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
for an example.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message