CODEWITHSUNDEEP
xmlspringspring-mvcspring-security
Darya Dorskaya
Darya Dorskaya

Reputation: 43

Security namespace does not support decoration of element [custom-filter]

I need to perform custom authorization, so I've predetermined AuthenticationManager and LoginUrlAuthenticationEntryPoint and set it into UsernamePasswordAuthenticationFilter.

Here is my spring-security.xml: 

<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:security="http://www.springframework.org/schema/security"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
    http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.2.xsd">

    <security:http auto-config="false" entry-point-ref="alterAuthenticationEntryPoint" create-session="always" use-expressions="true">
        <security:intercept-url pattern="/blog**" access="hasRole('ROLE_ADMIN')"/>
    </security:http>

    <security:authentication-manager alias="authenticationManager">
        <security:authentication-provider>
            <security:user-service>
                <security:user name="d" password="secret" authorities="ROLE_ADMIN"/>
            </security:user-service>
        </security:authentication-provider>
    </security:authentication-manager>

    <security:custom-filter position="FORM_LOGIN_FILTER" ref="customizedFormLoginFilter"/><!--replace the default one-->

    <bean id="customizedFormLoginFilter"
          class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
        <property name="authenticationManager"
                  ref="alterAuthenticationManager"/>
        <property name="allowSessionCreation" value="true"/> 
    </bean>

    <!--Custom auth manager-->
    <bean id="alterAuthenticationManager" class="com.fluid.ixtrm.newmodule.security.CustomAuthenticationManager"/>

    <!--Authentication entry point-->
    <bean id="alterAuthenticationEntryPoint" class="com.fluid.ixtrm.newmodule.security.CustomAuthenticationEntryPoint">
        <constructor-arg type="java.lang.String" value="/blog"/>
    </bean>

</beans>

Both classes (CustomAuthenticationEntryPoint extends LoginUrlAuthenticationEntryPoint and CustomAuthenticationManager implements AuthenticationManager) are implemented, but it would be too much code samples (I don't think that they cause the problem).

I'm getting the following error: 

org.springframework.beans.factory.parsing.BeanDefinitionParsingException: Configuration problem: Security namespace does not support decoration of element [custom-filter]
Offending resource: ServletContext resource [/WEB-INF/spring-security.xml]

I use Spring Security 3.2.3, and custom-filter tag is present in spring-security-3.2.xsd. Tell me please what is incorrect in my security config.

Upvotes: 3

Views: 4463

Answers (1)

dur
dur

Reputation: 17009

Your configuration is not valid, see Spring Security Reference:

41.1.19 <custom-filter>

This element is used to add a filter to the filter chain. It doesn’t create any additional beans but is used to select a bean of type javax.servlet.Filter which is already defined in the application context and add that at a particular position in the filter chain maintained by Spring Security. Full details can be found in the namespace chapter.

Parent Elements of <custom-filter>

  • http

Your modified configuration of <security:http>:

<security:http auto-config="false" entry-point-ref="alterAuthenticationEntryPoint" create-session="always" use-expressions="true">
   <security:intercept-url pattern="/blog**" access="hasRole('ROLE_ADMIN')"/>
   <security:custom-filter position="FORM_LOGIN_FILTER" ref="customizedFormLoginFilter"/>
</security:http>

Upvotes: 3

Related Questions