First of all, let me thank you a lot for the great help you give in this site!
Well, I will go right to the point: I am a newbie in spring and I have used appfuse for creating a new web app. The initial idea was to create a simple platform with a frontend and then, invoke the rest services from an external client.
The point is that I cannot be able to define a security.xml file in which (pages and rest services), can use different authentication methods.
My idea was a login form for the pages and a authenticator based on url params for the services, but the only thing I get is an Exception:
A universal match pattern ('/**') is defined before other patterns in the filter chain, causing them to be ignored"
I have tried each one of them separately, but when I gathered them in the same file, the exception is rised.
<http pattern="/images/**" security="none"/>
<http pattern="/styles*/**" security="none"/>
<http pattern="/scripts*/**" security="none"/>
<http pattern="/assets*/**" security="none"/>
<http entry-point-ref="restAuthenticationEntryPoint">
<intercept-url pattern="/services/**" access="ROLE_ADMIN,ROLE_ADMIN,ROLE_USER"/>
<custom-filter ref="myFilter" position="FORM_LOGIN_FILTER"/>
<logout />
</http>
<beans:bean id="myFilter" class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
<beans:property name="authenticationManager" ref="authenticationManager"/>
<beans:property name="authenticationSuccessHandler" ref="mySuccessHandler"/>
</beans:bean>
<beans:bean id="mySuccessHandler" class="org.bringer.webapp.authentication.MyAuthSuccessHandler"/>
<http auto-config="true" access-denied-page="/accessdenied">
<intercept-url pattern="/login*/**" access="ROLE_ANONYMOUS,ROLE_ADMIN,ROLE_USER"/>
<intercept-url pattern="/admin/*" access="ROLE_ADMIN"/>
<intercept-url pattern="/passwordhint*/**" access="ROLE_ANONYMOUS,ROLE_ADMIN,ROLE_USER"/>
<intercept-url pattern="/signup*" access="ROLE_ANONYMOUS,ROLE_ADMIN,ROLE_USER"/>
<intercept-url pattern="/**" access="ROLE_ADMIN,ROLE_USER"/>
<form-login login-page="/login"
default-target-url="/home"
always-use-default-target="true"
authentication-failure-url="/login/error"
login-processing-url="/j_security_check"/>
<remember-me user-service-ref="userDao" key="e37f4b31-0c45-11dd-bd0b-0800200c9a66"/>
</http>
<authentication-manager alias="authenticationManager">
<authentication-provider user-service-ref="userDao">
<password-encoder ref="passwordEncoder">
<salt-source ref="saltSource"/>
</password-encoder>
</authentication-provider>
</authentication-manager>
<beans:bean id="saltSource" class="org.springframework.security.authentication.dao.ReflectionSaltSource"
p:userPropertyToUse="username"/>
<global-method-security>
<protect-pointcut expression="execution(* *..service.UserManager.getUsers(..))" access="ROLE_ADMIN"/>
<protect-pointcut expression="execution(* *..service.UserManager.removeUser(..))" access="ROLE_ADMIN"/>
</global-method-security>
Even I have removed the "/**" pattern, but I get nothing but the exception.
Might someone point me in the right direction, please? Any help would be greatly appreciated.
Solved!
This is the security.xml that helped me to solve it
<http pattern="/services/**" create-session="stateless">
<intercept-url pattern="/**" access="ROLE_ADMIN,ROLE_USER" />
<http-basic />
</http>
<http pattern="/login*/**" security="none"/>
<http auto-config="true" access-denied-page="/accessdenied">
<intercept-url pattern="/admin/*" access="ROLE_ADMIN"/>
<intercept-url pattern="/passwordhint*/**" access="ROLE_ANONYMOUS,ROLE_ADMIN,ROLE_USER"/>
<intercept-url pattern="/signup*" access="ROLE_ANONYMOUS,ROLE_ADMIN,ROLE_USER"/>
<intercept-url pattern="/**" access="ROLE_ADMIN,ROLE_USER"/>
<form-login login-page="/login"
default-target-url="/home"
always-use-default-target="true"
authentication-failure-url="/login/error"
login-processing-url="/j_security_check"/>
<remember-me user-service-ref="userDao" key="e37f4b31-0c45-11dd-bd0b-0800200c9a66"/>
</http>