Spring Security 3.0: How do I specify URLs to which a custom filter applies?

Question

I am using Spring Security 3.0 with JSPs. I have created a RequireVerificationFilter that redirects unverified users to a \"verify your email\" page.

I added the fi

Answer 1

You should use org.springframework.security.web.FilterChainProxy for this. the attribute filter should only containts none:

<http ...>
      <custom-filter ref="requireVerificationFilterChain" after="LAST" />
</http>

<b:bean id="requireVerificationFilterChain" class="org.springframework.security.web.FilterChainProxy">
        <filter-chain-map request-matcher="ant">
            <filter-chain pattern="/account/*" filters="requireVerificationFilter"/>
        </filter-chain-map>
</b:bean>
<b:bean id="requireVerificationFilter" class="com.ebisent.web.RequireVerificationFilter" />

Answer 2

You have to do this inside the actual configuration xml (same place you have the <custom-filter ref="requireVerificationFilter" after="LAST" /> .

<http ...>
   <intercept-url pattern="/access" ... filters="..., requireVerificationFilter, ..." />
   <intercept-url pattern="/verify" ... filters="none" />
   ...
</http>

Something along those lines, you can specify a list of the filters you want to run and exclude those you don't (and "none" means none). You should not need to add tyour filter to the web.xml - only inline with the Spring Security filter chain.