Re: GWT and spring security integration,DelegatingFilterProxy has a dead loop

On Tuesday, July 5, 2016 at 1:25:39 PM UTC+3, Alex Luya wrote:

Does this mean if add  added blow to web.xml:

<!-- Spring Security related configuration -->  <filter>      <filter-name>springSecurityFilterChain</filter-name>      <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>  </filter>  <filter-mapping>      <filter-name>springSecurityFilterChain</filter-name>      <url-pattern>/dp_web/service/*</url-pattern>  </filter-mapping>

I must use <http> to configure something in applicationContext.xml?

Yes. If you want to use default implementaion of the "filter chain", you have to use namespaces (<http>) for configuration or you may use JavaConfig aproach.

 

In my case,I removed above stuff from web.xml,added 

@Secured({"ROLE_USER"})

to class ServiceBase and let all other service inherit from it,and added this:

 <security:global-method-security secured-annotations="enabled" />

to applicationContext.xml,and remove all other spring security related from it,rerun my web app,all inherited service invoking

give 500 error,so security mechanism do works, but obviously,following code is not enough:

User user = new User(login, password, true, true, true, true, new ArrayList<GrantedAuthority>());  Authentication auth = new UsernamePasswordAuthenticationToken(user, password,          new ArrayList<GrantedAuthority>());  try {      auth = this.authenticationProvider.authenticate(auth);  } catch (BadCredentialsException e) {      throw new ClientSideBadCredentialsException(e.getMessage(), e);  }  SecurityContext sc = new SecurityContextImpl();  sc.setAuthentication(auth);  SecurityContextHolder.setContext(sc);  




So question is what else I should do except:




1,add @Secured({"ROLE_USER"}) to parent service

2,add <security:global-method-security secured-annotations="enabled" /> to applictionContext.xml

When you removed spring security filter-chain stuff, ability to inject SecurityContext to HttpRequest has been removed too (that's what one of the security filters does). 

So all requests handled on behalf of Anonymous user (even after authentication in RPC service).

I suggest to use separated page for "plain" login HTML form without gwt rpc. Thus, you can use default form login support from spring security.

Then, you should configure access rules for http requests (by using <http> namespace or JavaConfig... there is a lot of info and samples):

1. Allow login page for all.

2. And restrict all other URLs for authenticated only.

And, there is some example with custom implementation of the AuthenticationProvider [1] if you do not want to implement separated login page.

[1] https://examples.javacodegeeks.com/enterprise-java/gwt/gwt-spring-security-example

--
You received this message because you are subscribed to the Google Groups "GWT Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-web-toolkit+unsubscribe@googlegroups.com.
To post to this group, send email to google-web-toolkit@googlegroups.com.
Visit this group at https://groups.google.com/group/google-web-toolkit.
For more options, visit https://groups.google.com/d/optout.