Reputation: 23
Websphere 7 - universal match pattern ('/**') is defined before other patterns
I have generated a spring project using Roo, and used the security setup addon to add in the spring security. The security works fine on Tomcat 7, but am running into the following problem when trying to deploy to Websphere 7.0.0.19. I'm currently using Spring Security 3.1.0.RELEASE. I've seen other projects use the Spring DelegatingFilterProxy just fine within Websphere. Anybody have any ideas?
Error from StackTrace:
E org.springframework.web.context.ContextLoader initWebApplicationContext Context initialization failed
org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'org.springframework.security.filterChainProxy': Invocation of init method failed; nested exception is java.lang.IllegalArgumentException: A universal match pattern ('/**') is defined before other patterns in the filter chain, causing them to be ignored. Please check the ordering in your <security:http> namespace or FilterChainProxy bean configuration
applicationContext-security.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<!-- HTTP security configurations -->
<http auto-config="true" use-expressions="true" >
<form-login login-processing-url="/resources/j_spring_security_check" login-page="/login" authentication-failure-url="/login?login_error=t" />
<logout logout-url="/resources/j_spring_security_logout" />
<!-- Configure these elements to secure URIs in your application -->
<intercept-url pattern="/login" access="permitAll" />
<intercept-url pattern="/admin/**" access="hasRole('ROLE_ADMIN')" />
<intercept-url pattern="/jobtypes/**" access="isAuthenticated()" />
<intercept-url pattern="/tests/**" access="permitAll" />
<!-- Websphere Problem: IllegalArgumentException: A universal match pattern ('/**') is defined before other patterns in the filter chain -->
<intercept-url pattern="/resources/**" access="permitAll" />
<intercept-url pattern="/**" access="hasRole('ROLE_USER')" />
</http>
<!-- Configure Authentication mechanism -->
<beans:bean name="myCompanyAuthenticationProvider" class="edu.mycompany.project.security.MyCompanyAuthenticationProvider" />
<authentication-manager alias="authenticationManager">
<authentication-provider ref="myCompanyAuthenticationProvider" />
</authentication-manager>
</beans:beans>
Thanks,
Upvotes: 2
Views: 4191
Answers (2)
Reputation: 21720
For others reading this (and looking for an answer), the issue was logged as SEC-2034 and determined to be invalid. The problem is occurring due to the configuration being picked up twice.
Upvotes: 2
Reputation: 40176
Interesting... I'm using Spring Security 3.1.0.RELEASE and deploying to WAS 7 as well, but I never had issues with any of my apps. The only minor difference between yours and mine is I don't use expressions. Here's how mine looks like:-
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd">
<security:http auto-config="true">
<security:form-login login-page="/" authentication-failure-url="/?login_error=1" default-target-url="/"
always-use-default-target="true"/>
<security:logout logout-success-url="/" />
<security:intercept-url pattern="/secure/**" access="ROLE_ADMIN,ROLE_USER"/>
<security:intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
</security:http>
...
</beans>
Another key difference is my catch-all /** is opened for anonymous access whereas yours are restricted to ROLE_USER.
Upvotes: 1
Related Questions
- Error: universal match pattern ('/**') is defined before other patterns in the filter chain, causing them to be ignored
- Spring Security antMatcher expression not works with path variable
- A Universal Match Pattern ('/**') is Defined Before Other Patterns
- Spring security regex patern matcher and '/' character
- A universal match pattern ('/**') is defined before other patterns in the filter chain, causing them to be ignored
- websphere: Unsupported configuration attributes: [permitAll] using spring
- Security constraint <url-pattern> acting weirdly - websphere
- A universal match pattern ('/**') is defined before other patterns in the filter chain, causing them to be ignored
- Error: A universal match pattern ('/**') is defined before other patterns in the filter chain
- How to unsecure /** URL pattern in spring-security