I have a web application with spring security configured to limit access on both URLs and methods. I want to disable it entirely by-default, and allow my customers to easily turn it on if they want to (they can only access “spring-security.xml”).
I managed to turn off the URL interception, but my method security is still enabled…
Any clue?
(I don’t want to let the customer change my web.xml, so unfortunately modifying the “global-method-security” setting each time is not an option…)
This is my updated spring-security.xml configuration:
<http auto-config='true' use-expressions="true">
<intercept-url pattern="/**" access="permitAll" />
<http-basic />
<anonymous />
</http>
I have overriden the DelegatingFilterProxy.doFilter method like this:
public void doFilter(ServletRequest request, ServletResponse response, FilterChain filterChain)
throws ServletException, IOException {
final String springSecured = System.getProperty("springSecured");
if (StringUtils.isNotBlank(springSecured) && springSecured.equalsIgnoreCase("true")) {
// Call the delegate
super.doFilter(request, response, filterChain);
} else {
// Ignore the DelegatingProxyFilter delegate
filterChain.doFilter(request, response);
}
}
and this is an example of the method security I have:
@RequestMapping(
value = "applications/{applicationName}/timeout/{timeout}",
method = RequestMethod.POST)
public
@ResponseBody
@PreAuthorize("isFullyAuthenticated() and hasPermission(#authGroups, 'deploy')")
Object deployApplication() {
// ...
}
If I were you I wouldn’t use a custom filter chain implementation, just the one out of the box. You can enable and disable sections of bean configuration (since Spring 3.0) with nested elements, so something like this might be convenient:
Your application is now unprotected in the default profile (and any other but the “secure” profile). You can enable the secure profile by providing a system property spring.profiles.active=secure, or by explicitly setting it in a context or servlet initializer.