Home/ Questions/Q 3391674
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-18T03:49:47+00:00

I use Spring Security 3.0.3.RELEASE. I would like to create a custom authentication processing

  • 0

I use Spring Security 3.0.3.RELEASE. I would like to create a custom authentication processing filter.

I have created a filter like this:

// imports ommited
public class myFilter extends AbstractAuthenticationProcessingFilter {
    @Override
    public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException, IOException, ServletException {
        // some code here
    }
}

I configures my security.xml in the following way:

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xmlns:beans="http://www.springframework.org/schema/beans"
         xsi:schemaLocation="
         http://www.springframework.org/schema/beans
         http://www.springframework.org/schema/beans/spring-beans.xsd
         http://www.springframework.org/schema/security
         http://www.springframework.org/schema/security/spring-security-3.0.xsd">

    <http auto-config="true">
        <!--<session-management session-fixation-protection="none"/>-->
        <custom-filter ref="ipFilter" before="FORM_LOGIN_FILTER"/>
        <intercept-url pattern="/login.jsp*" filters="none"/>
        <intercept-url pattern="/**" access="ROLE_USER"/>
        <form-login login-page="/login.jsp" always-use-default-target="true"/>
        <logout logout-url="/logout" logout-success-url="/login.jsp" invalidate-session="true"/>
    </http>

    <beans:bean id="ipFilter" class="myFilter">
        <beans:property name="authenticationManager" ref="authenticationManager"/>
    </beans:bean>

    <authentication-manager alias="authenticationManager" />
</beans:beans>

Everything seems to be right, but when I try to access to protected pages insted of myFilter.attemptAuthentication called myFilter.doFilter.

Any ideas why?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Of course servlet container calls MyFilter.doFilter – after all, this is the entry point into the filter.

    In your specific case, the servlet container is supposed to call doFilter() on AbstractAuthenticationProcessingFilter, not on MyFilter.

    AbstractAuthenticationProcessingFilter.doFilter() in turn is responsible for calling MyFilter.attemptAuthentication().

    If that is not the case, maybe you overrode doFilter() in MyFilter? If yes, better remove that (or at least call super.doFilter()). See JavaDocs of AbstractAuthenticationProcessingFilter for more details.

    EDIT: MinimeDJ clarified that everything is as I am suggesting above. In that case, I suggest to check the value of filterProcessesUrl property. From the JavaDocs:

    This filter will intercept a request and attempt to perform authentication from that request if the request URL matches the value of the filterProcessesUrl property. This behaviour can modified by overriding the method requiresAuthentication.

    So you can:

    • either set the appropriate filterProcessesUrl value (usually something like /j_spring_security_check)
    • or you can override requiresAuthentication method to always return true.

    If you are still having problems then I suggest you take a debugger and step through spring-security (and your) code to see where exactly the issue occurs.

    • 0