Spring Security 3.0.3 and custom authentication processing filter

I use Spring Security 3.0.3.RELEASE. I would like to create a custom authentication processing filter.

I have created a filter like this:

// imports ommited
public class myFilter extends AbstractAuthenticationProcessingFilter {
    @Override
    public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException, IOException, Se开发者_JAVA百科rvletException {
        // some code here
    }
}

I configures my security.xml in the following way:

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xmlns:beans="http://www.springframework.org/schema/beans"
         xsi:schemaLocation="
         http://www.springframework.org/schema/beans
         http://www.springframework.org/schema/beans/spring-beans.xsd
         http://www.springframework.org/schema/security
         http://www.springframework.org/schema/security/spring-security-3.0.xsd">

    <http auto-config="true">
        <!--<session-management session-fixation-protection="none"/>-->
        <custom-filter ref="ipFilter" before="FORM_LOGIN_FILTER"/>
        <intercept-url pattern="/login.jsp*" filters="none"/>
        <intercept-url pattern="/**" access="ROLE_USER"/>
        <form-login login-page="/login.jsp" always-use-default-target="true"/>
        <logout logout-url="/logout" logout-success-url="/login.jsp" invalidate-session="true"/>
    </http>

    <beans:bean id="ipFilter" class="myFilter">
        <beans:property name="authenticationManager" ref="authenticationManager"/>
    </beans:bean>

    <authentication-manager alias="authenticationManager" />
</beans:beans>

Everything seems to be right, but when I try to access to protected pages insted of myFilter.attemptAuthentication called myFilter.doFilter.

Any ideas why?

Of course servlet container calls MyFilter.doFilter - after all, this is the entry point into the filter.

In your specific case, the servlet container is supposed to call doFilter() on AbstractAuthenticationProcessingFilter, not on MyFilter.

AbstractAuthenticationProcessingFilter.doFilter() in turn is responsible for calling MyFilter.attemptAuthentication().

If that is not the case, maybe you overrode doFilter() in MyFilter? If yes, better remove that (or at least call super.doFilter()). See JavaDocs of AbstractAuthenticationProcessingFilter for more details.

EDIT: MinimeDJ clarified that everything is as I am suggesting above. In that case, I suggest to check the value of filterProcessesUrl property. From the JavaDocs:

This filter will intercept a request and attempt to perform authentication from that request if the request URL matches the value of the filterProcessesUrl property. This behaviour can modified by overriding the method requiresAuthentication.

So you can:

• either set the appropriate filterProcessesUrl value (usually something like /j_spring_security_check)
• or you can override requiresAuthentication method to always return true.

If you are still having problems then I suggest you take a debugger and step through spring-security (and your) code to see where exactly the issue occurs.