I am using Spring Security 3, and I want to execute some logic (saving some data in a session) when the user visits the site, and he remembered. I extended the GenericFilterBean class, executed the logic in the doFilter method, and then terminated the filter chain by calling the chain.doFilter method. I inserted this filter after the Remember Me filter in the security.xml file.
But the problem is that the filter is executed on each page, regardless of whether the user is remembered or not. Is there something wrong with the filter implementation or with the filter position?
Is the default filter chain executed on every page? When creating a custom filter, should I add it also in web.xml?
Filter class:
package projects.internal;
import java.io.IOException;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.web.filter.GenericFilterBean;
import projects.ProjectManager;
public class rememberMeFilter extends GenericFilterBean {
private ProjectManager projectManager;
@Autowired
public rememberMeFilter(ProjectManager projectManager) {
this.projectManager = projectManager;
}
@Override
public void doFilter(ServletRequest req, ServletResponse res,
FilterChain chain) throws IOException, ServletException {
System.out.println("In The Filter");
Authentication auth = (Authentication) SecurityContextHolder
.getContext().getAuthentication();
HttpServletResponse response = ((HttpServletResponse) res);
HttpServletRequest request = ((HttpServletRequest) req);
if (auth == null) {
chain.doFilter(request, response);
}
else {
System.out.println("User Is Remembered");
chain.doFilter(request, response);
}
}
}
security.xml:
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.0.xsd">
<global-method-security pre-post-annotations="enabled">
</global-method-security>
<http use-expressions="true" >
<remember-me data-source-ref="dataSource"/>
<intercept-url pattern="/" access="permitAll" />
<intercept-url pattern="/images/**" filters="none" />
<intercept-url pattern="/scripts/**" filters="none" />
<intercept-url pattern="/styles/**" filters="none" />
<intercept-url pattern="/p/login" filters="none" />
<intercept-url pattern="/p/register" filters="none" />
<intercept-url pattern="/p/forgot_password" filters="none" />
<intercept-url pattern="/p/**" access="isAuthenticated()" />
<custom-filter after="REMEMBER_ME_FILTER" ref="rememberMeFilter" />
<form-login login-processing-url="/j_spring_security_check"
login-page="/p/login" authentication-failure-url="/p/login?login_error=1"
default-target-url="/p/dashboard" authentication-success-handler-ref="myAuthenticationHandler"
always-use-default-target="false" />
<logout/>
</http>
<beans:bean id="myAuthenticationHandler" class="projects.internal.myAuthenticationHandler" />
<beans:bean id="rememberMeFilter" class="projects.internal.rememberMeFilter" >
</beans:bean>
<authentication-manager alias="authenticationManager">
<authentication-provider>
<password-encoder hash="md5" />
<jdbc-user-service data-source-ref="dataSource" />
</authentication-provider>
</authentication-manager>
</beans:beans>
?