Reputation: 555
How to get security=none for localhost (jetty) and spring security otherwise?
I'm very new to Spring and a bit of a newb in java as well so I may be missing something obvious. We deploy to WAS for UAT and prod but are starting to move to embedded jetty as our apps are pretty lightweight.
Soooo ... we've been hacking our web.xml to comment out the <filter> tags and commenting out the for spring security.xml in application context. Not ideal as we use maven. So as a learning exercise I'm trying to get this to work tidily and been reading a lot of blogs and questions here and, frankly, getting confused.
My first try was to leave the <filter> in web.xml and create a new beans profile="jettyLocal" with http auto-config="true" security="none". Then I start jetty from RTC with -Dspring.profiles.active="JettyLocal". This seems to have no effect. I.e. with or without that I still get a chain of exceptions - "no authentication manager" and error creating the spring filterChains bean.
Is the problem that web.xml is loaded before the -Dspring.. is processed? Am I asking the wrong question? Happy to RTFM if you can give me pointers. I have Spring in Action 3.0 but can't see anything relevant, maybe due to my lack of experience.
eta: To clarify as I was unclear. I have the app working nicely with Spring-security on an external WAS with AD security, a localhost WAS with a user-service tag giving a hardcoded user name managed by named profile beans. What I am struggling with is keeping those 2 but having no security for running quick tests with jetty:run. Thanks for the suggestions thus far. All good reading.
eta 2: The samples I can find all assume I'll be testing a whole web app with logon pages etc. But I want to use jetty:run for quick tests of classes or packages that can respond to web calls using a simple test harness.
eta 3: I've managed to get close enough to what I want by adding to spring-security.xml
<beans:beans profile="dev">
<authentication-manager>
<authentication-provider>
<user-service>
<user name="xxx" password="xxx" authorities="xxx" />
</user-service>
</authentication-provider>
</authentication-manager>
</beans:beans>
and starting jetty with -Dspring.profiles.active="dev"
Upvotes: 2
Views: 1338
Answers (1)
Reputation: 47290
To make parts of your application unsecure, just apply no security to http patterns, part of my app context looks like this :
<security:http pattern="/css/**" security="none" />
Upvotes: 1
Related Questions
- How to secure Jetty to only allow access from loopback(localhost)
- Excluding HTTP methods using security constraint, jetty
- Spring Boot Security: How to skip login for localhost?
- Override security constraint in Jetty 9
- What does NO_SECURITY do in Jetty's ServletContextHandler?
- Disable Spring Security via Java configuration?
- Configuration of Spring security with Spring boot and a Spring MVC Rest API on Jetty
- Jetty addFilter with Spring Security and no web.xml
- Ignoring web.xml security-constraint in Jetty
- Disable Spring Security programmatically