I connected to the spring-security project, but when I put the filters on the url, they do not work. access can still get even not logged in user. Tried to put annotations @Secured({'ADMIN'}) , @Secured("hasRole('ADMIN')") in the controller on methods, still does not work. what could be wrong? I have a security-context.xml application context in web.xml. The spring raises the security officer itself but the filters do not work.
web.xml
<?xml version="1.0" encoding="UTF-8"?> <web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" metadata-complete="true" version="3.0"> <display-name>Spring MVC MedPhoto Application</display-name> <context-param> <param-name>contextConfigLocation</param-name> <param-value> classpath:/META-INF/spring/applicationContext.xml </param-value> </context-param> <welcome-file-list> <welcome-file>index.html</welcome-file> </welcome-file-list> <listener> <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class> </listener> <listener> <listener-class>org.springframework.web.context.request.RequestContextListener</listener-class> </listener> <servlet> <servlet-name>spring-servlet</servlet-name> <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class> <init-param> <param-name>contextConfigLocation</param-name> <param-value>/WEB-INF/spring-web.xml</param-value> </init-param> <load-on-startup>1</load-on-startup> </servlet> <servlet-mapping> <servlet-name>spring-servlet</servlet-name> <url-pattern>/</url-pattern> </servlet-mapping> <filter> <filter-name>springSecurityFilterChain</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> </filter> <filter-mapping> <filter-name>springSecurityFilterChain</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <session-config> <session-timeout>300</session-timeout> </session-config> <filter> <filter-name>hibernateFilter</filter-name> <filter-class>org.springframework.orm.hibernate4.support.OpenSessionInViewFilter</filter-class> <init-param> <param-name>singleSession</param-name> <param-value>true</param-value> </init-param> </filter> <!-- <filter> <filter-name>AuthenticationFilter</filter-name> <filter-class>com.generatedesign.medphoto.core.framework.filters.RestAuthenticationFilter</filter-class> </filter> <filter-mapping> <filter-name>AuthenticationFilter</filter-name> <url-pattern>*</url-pattern> </filter-mapping> --> <filter-mapping> <filter-name>hibernateFilter</filter-name> <url-pattern>/*</url-pattern> <dispatcher>REQUEST</dispatcher> <dispatcher>FORWARD</dispatcher> <dispatcher>INCLUDE</dispatcher> </filter-mapping> <context-param> <param-name>spring.profiles.active</param-name> <param-value>LOCALDEV</param-value> </context-param> <!-- Data Source --> <resource-ref> <description>Connection Pool</description> <res-ref-name>jdbc/medphoto</res-ref-name> <res-type>javax.sql.DataSource</res-type> <res-auth>Container</res-auth> </resource-ref> <!-- End of Data Source --> security-context.xml
<?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:security="http://www.springframework.org/schema/security" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd"> <security:http pattern="/medphoto/**" entry-point-ref="restAuthenticationEntryPoint" use-expressions="true" auto-config="false" create-session="stateless" > <security:intercept-url pattern="/login" access="permitAll" /> <security:intercept-url pattern="/account/getall" access="hasRole('ADMIN')" /> <security:custom-filter ref="authenticationTokenProcessingFilter" position="FORM_LOGIN_FILTER" /> <security:intercept-url pattern="/medphoto/**" access="isAuthenticated()" /> <security:logout /> </security:http> <bean id="userDetailsService" class="com.generatedesign.medphoto.core.serviceimpl.UserDetailsServiceImpl" /> <bean id="restAuthenticationEntryPoint" class="com.generatedesign.medphoto.core.serviceimpl.RestAuthenticationEntryPoint" /> <!-- myUserDetailsService is a custom implementation of Spring Security's UserDetailsService --> <security:authentication-manager> <security:authentication-provider user-service-ref="userDetailsService"> <security:password-encoder base64="true" hash="md5"> <security:salt-source user-property="username" /> </security:password-encoder> </security:authentication-provider> </security:authentication-manager> <bean class="com.generatedesign.medphoto.core.framework.filters.TokenAuthenticationFilter" id="authenticationTokenProcessingFilter"> <constructor-arg type="java.lang.String"> <value>/medphoto/**</value> </constructor-arg> </bean> 