2

I have a web application which has spring security and by default all pages require authorization. In my scenario, an admin can at some point decide to disable security for some pages or disable it entirely. How could this be best achieved? I was thinking about modifying the FilterChainProxy, but it is not clear to me how exactly (getFilterChains() returns an unmodifiable list)?

Rob Hruska
  • 118,520
  • 32
  • 167
  • 192
kpentchev
  • 3,040
  • 2
  • 24
  • 41
  • To start with, your configuration seems unusual as *everything* seems protected, including the login page (which usually is not). Could you explain more about the scenario in which an admin can disable the security of a page? Seems uncommon and interesting at the same time. – Emmanuel Ballerini Mar 21 '12 at 15:52
  • Well it uses http-basic, therefore the default browser authentication dialog is used. The application is a kind of db search/explore/server and because everything is protected by default, the admin might need/decide to expose it (e.g. due to 3rd-party apps that need to communicate with the app but do not support authentication). – kpentchev Mar 21 '12 at 17:51

2 Answers2

3

Subclass DelgatingFilterProxy and check a flag whether to call the delegate or not.

Then use that in your web.xml in place of the DelegatingFilterProxy that is being used for the springSecurityFilterChain (assuming you are using namespace configuration). For example:

<filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>com.foo.spring.MyDelegatingFilterProxy</filter-class>
</filter>

In your DelegatingFilterProxy check a flag (for example, a system property) to see if you should delegate or not.

class MyDelegatingFilterProxy extends DelegatingFilterProxy {

  override def doFilter(request: ServletRequest, response: ServletResponse, chain: FilterChain) {

    if (System.getProperty("skipSpringSecurity" != null) {
      // Ignore the DelegatingProxyFilter delegate
      chain.doFilter(request, response)
    } else {
      // Call the delegate
      super.doFilter(request, response, chain)
    }
  }
}

You can use the same technique to use a blanket wildcard like <security:intercept-url pattern="/**" access="ROLE_USER" /> and then skip calling the Spring Security filter for some set of paths under / (for static files, etc).

sourcedelica
  • 23,940
  • 7
  • 66
  • 74
0

How is Spring security configured ? You could choose to add a custom permissionEvaluator which validates your conditions ?

Have a look at spring-security writing a custom PermissionEvaluator - how to inject a DAO service?

Community
  • 1
  • 1
Marius
  • 3,043
  • 1
  • 15
  • 24
  • I have some specific Voters and AuthenticationProvider, but otherwise it uses the default web app config ` ` – kpentchev Mar 21 '12 at 14:44