A universal match pattern ('/**') is defined before other patterns in the filter chain, causing them to be ignored

问题

Spring Security basic example gives this exception.

Error: "A universal match pattern ('/**') is defined before other patterns in the filter chain, causing them to be ignored. Please check the ordering in your namespace or FilterChainProxy bean configuration"

I have checked many posts on this same issue. But could not find any solution. Anyone able to deploy a hello spring security?

I am using these versions - Spring 3.2.0.RELEASE / Spring security 3.2.0.RELEASE / Tomcat 7 / Java 1.7.

Here is my code:

web.xml

<!DOCTYPE web-app PUBLIC
"-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
"http://java.sun.com/dtd/web-app_2_3.dtd" >

<web-app>
    <display-name>Spring security sample Web Application</display-name>

    <context-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>/WEB-INF/spring-context.xml,
            /WEB-INF/security-context.xml</param-value>
    </context-param>

    <!-- Spring security -->
    <filter>
        <filter-name>springSecurityFilterChain</filter-name>
        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    </filter>
    <filter-mapping>
        <filter-name>springSecurityFilterChain</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>

    <listener>
        <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
    </listener>

    <servlet>
        <servlet-name>spring-dispatcher-servlet</servlet-name>
        <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
        <init-param>
            <param-name>contextConfigLocation</param-name>
            <param-value>/WEB-INF/spring-context.xml</param-value>
        </init-param>
    </servlet>

    <servlet-mapping>
        <servlet-name>spring-dispatcher-servlet</servlet-name>
        <url-pattern>/</url-pattern>
    </servlet-mapping>

</web-app>

spring-context.xml

<beans:beans xmlns="http://www.springframework.org/schema/security"
    xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.2.xsd 
    http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.2.xsd">

    <authentication-manager>
        <authentication-provider>
            <user-service>
                <user name="jay" password="jay" authorities="ROLE_USER" />
            </user-service>
        </authentication-provider>
    </authentication-manager>

    <http auto-config="true">
        <intercept-url pattern="/pages/hello.jsp" access="ROLE_USER" />
    </http>

</beans:beans>

MyController.java

package com.jai.spring.security.controller;

import org.springframework.stereotype.Controller;
import org.springframework.ui.Model;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;

@Controller
public class MyConroller {

    @RequestMapping(value = "/security", method = RequestMethod.GET)
        public String security(Model model) {
            System.out.println("calling ... /security");
            model.addAttribute("name", "Jay");
            return "pages/hello";
        }


    @RequestMapping(value = "/profile", method = RequestMethod.GET)
        public String profile(Model model) {
            System.out.println("calling ... /profile");
            return "user/profile";
        }
}

pom.xml

<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
    <modelVersion>4.0.0</modelVersion>
    <groupId>com.jai.spring.security</groupId>
    <artifactId>springsec</artifactId>
    <packaging>war</packaging>
    <version>0.0.1-SNAPSHOT</version>
    <name>springsec Maven Webapp</name>
    <url>http://maven.apache.org</url>

    <properties>
        <spring-version>3.2.0.RELEASE</spring-version>
        <spring-security-version>3.2.0.RELEASE</spring-security-version>
    </properties>

    <dependencies>
        <dependency>
            <groupId>org.springframework</groupId>
            <artifactId>spring-web</artifactId>
            <version>${spring-version}</version>
        </dependency>
        <dependency>
            <groupId>org.springframework</groupId>
            <artifactId>spring-webmvc</artifactId>
            <version>${spring-version}</version>
        </dependency>
        <dependency>
            <groupId>org.springframework.security</groupId>
            <artifactId>spring-security-web</artifactId>
            <version>${spring-security-version}</version>
        </dependency>
        <dependency>
            <groupId>org.springframework.security</groupId>
            <artifactId>spring-security-config</artifactId>
            <version>${spring-security-version}</version>
        </dependency>
        <dependency>
            <groupId>org.springframework.security</groupId>
            <artifactId>spring-security-core</artifactId>
            <version>${spring-security-version}</version>
        </dependency>

        <dependency>
            <groupId>log4j</groupId>
            <artifactId>log4j</artifactId>
            <version>1.2.14</version>
            <scope>runtime</scope>
        </dependency>
        <dependency>
            <groupId>junit</groupId>
            <artifactId>junit</artifactId>
            <version>3.8.1</version>
            <scope>test</scope>
        </dependency>


    </dependencies>
    <build>
        <finalName>springsec</finalName>
        <plugins>
            <plugin>
                <groupId>org.apache.maven.plugins</groupId>
                <artifactId>maven-compiler-plugin</artifactId>
                <version>2.3.2</version>
                <configuration>
                    <source>1.7</source>
                    <target>1.7</target>
                </configuration>
            </plugin>
            <plugin>
                <groupId>org.apache.tomcat.maven</groupId>
                <artifactId>tomcat7-maven-plugin</artifactId>
                <version>2.2</version>

                <configuration>
                    <url>http://localhost:8080/manager/text</url>
                    <server>localhost</server>
                    <path>/${project.build.finalName}</path>
                </configuration>
            </plugin>
        </plugins>
    </build>

</project>

File structure

回答1:

You are incorrectly using your XML context files, which lead to duplicate bean definition (including security config). And <http> configuration without a pattern attribute maps to /** => your error.

Here you define root XML context file for the servlet:

<servlet>
    <servlet-name>spring-dispatcher-servlet</servlet-name>
    <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
    <init-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>/WEB-INF/spring-context.xml</param-value>
    </init-param>
</servlet>

Create a new context config instead (you can omit this declaration if you use the default name, which is {your-servlet-name}-servlet.xml => spring-dispatcher-servlet-servlet.xml):

    <init-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>/WEB-INF/dispatcher-servlet.xml</param-value>
    </init-param>

The difference between the root and the servlet contexts was discussed several times here on StackOverflow. Basically the root context (spring-context.xml and security-context.xml in your case) should hold application wide beans (services, DAOs, including security configuration) and the dispatcher context (dispatcher-servlet.xml in my example) should hold dispatcher servlet specific beans like controllers, view resolvers, etc.