Kathir
Reputation: 6196
A universal match pattern ('/**') is defined before other patterns in the filter chain, causing them to be ignored
I am running into this issue with Spring 3.1.3 release and with the following application context file. I am not quite sure why does this occur. Have looked into most of the posts related to this. I dont think I have a version mismatch.
Application Context file:
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<security:http auto-config='true' entry-point-ref="casEntryPoint" >
<security:intercept-url pattern="/panelpipeline/**" access="ROLE_USER"/>
<security:intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
</security:http>
<bean id="serviceProperties" class="org.springframework.security.cas.ServiceProperties">
<property name="service"
value="https://seqdws1/cas/j_spring_cas_security_check" />
<property name="sendRenew" value="false" />
</bean>
<security:http entry-point-ref="casEntryPoint">
<security:custom-filter position="CAS_FILTER"
ref="casFilter" />
</security:http>
<bean id="casFilter"
class="org.springframework.security.cas.web.CasAuthenticationFilter">
<property name="authenticationManager" ref="authenticationManager" />
</bean>
<bean id="casEntryPoint"
class="org.springframework.security.cas.web.CasAuthenticationEntryPoint">
<property name="loginUrl" value="https://seqdws1/cas/login" />
<property name="serviceProperties" ref="serviceProperties" />
</bean>
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider
ref="casAuthenticationProvider" />
</security:authentication-manager>
<bean id="casAuthenticationProvider"
class="org.springframework.security.cas.authentication.CasAuthenticationProvider">
<property name="userDetailsService" ref="userService" />
<property name="serviceProperties" ref="serviceProperties" />
<property name="ticketValidator">
<bean class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator">
<constructor-arg index="0" value="https://seqdws1/cas" />
</bean>
</property>
<property name="key" value="an_id_for_this_auth_provider_only" />
</bean>
<security:user-service id="userService">
<security:user name="joe" password="joe" authorities="ROLE_USER" />
</security:user-service>
<!-- <security:authentication-manager> <security:authentication-provider>
<security:user-service> <security:user name="jimi" password="jimispassword"
authorities="ROLE_USER, ROLE_ADMIN" /> <security:user name="bob" password="bobspassword"
authorities="ROLE_USER" /> </security:user-service> </security:authentication-provider>
</security:authentication-manager> -->
POM dependencies
<dependencies>
<dependency>
<groupId>com.google.gwt</groupId>
<artifactId>gwt-servlet</artifactId>
<version>${gwtVersion}</version>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>com.google.gwt</groupId>
<artifactId>gwt-user</artifactId>
<version>${gwtVersion}</version>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
<version>4.7</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>javax.validation</groupId>
<artifactId>validation-api</artifactId>
<version>1.0.0.GA</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>javax.validation</groupId>
<artifactId>validation-api</artifactId>
<version>1.0.0.GA</version>
<classifier>sources</classifier>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>3.1.3.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>3.1.3.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>3.1.3.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-context</artifactId>
<version>3.1.3.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-beans</artifactId>
<version>3.1.3.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-core</artifactId>
<version>3.1.3.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-tx</artifactId>
<version>3.1.3.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-web</artifactId>
<version>3.1.3.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-jdbc</artifactId>
<version>3.1.3.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-aop</artifactId>
<version>3.1.3.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-asm</artifactId>
<version>3.1.3.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-expression</artifactId>
<version>3.1.3.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-cas</artifactId>
<version>3.1.3.RELEASE</version>
</dependency>
</dependencies>
Upvotes: 1
Views: 4263
Answers (1)
Shaun the Sheep
Reputation: 22762
The configuration you've posted has two <http> elements, neither of which has a pattern attribute so both are implicitly defined to match all requests. The second one will overwrite the first.
That doesn't necessarily explain why you are seeing this message (since it should normally apply to filters within a single chain), but it is definitely a mistake.
You should also probably remove auto-config='true' unless you know for sure that you want the extra filters which it implicitly adds.
Upvotes: 10
Related Questions
- Spring security filter is never invoked
- Error: universal match pattern ('/**') is defined before other patterns in the filter chain, causing them to be ignored
- A Universal Match Pattern ('/**') is Defined Before Other Patterns
- Filter pattern definition doesn't apply
- A universal match pattern ('/**') is defined before other patterns in the filter chain, causing them to be ignored
- spring security filter chain url pattern matching
- Configuring a Spring Security Filter Chain with a pattern returns 404 for /j_spring_security_check
- Error: A universal match pattern ('/**') is defined before other patterns in the filter chain
- Spring Security 3.0.5 Custom Filter Issue
- spring security filter-chain regex pattern