[prev in list] [next in list] [prev in thread] [next in thread]
List: struts-user
Subject: Re: Warning: Spring Security and FileUploadInterceptor filter order
From: "Nils-Helge Garli Hegvik" <nilsga () gmail ! com>
Date: 2008-12-29 18:26:17
Message-ID: 7270d7cd0812291026q1c46452aldbe0c44fb5e1301a () mail ! gmail ! com
[Download RAW message or body]
Hi!
If you think you have found a bug in Struts 2, please register an
issue in the issue tracker at
https://issues.apache.org/struts/secure/Dashboard.jspa
Thanks.
Nils-H
On Mon, Dec 29, 2008 at 7:19 PM, dusty <dustin_pearce@yahoo.com> wrote:
>
> Hello,
>
> This vexed me, so I thought I would share to help anyone stuck with
> something similar....
>
> I have Spring Security protecting my Struts2 app. Originally I had my
> filters setup like this:
> <filter-mapping>
> <filter-name>struts-prepare</filter-name>
> <url-pattern>/*</url-pattern>
> </filter-mapping>
> <filter-mapping>
> <filter-name>securityFilter</filter-name>
> <url-pattern>/*</url-pattern>
> </filter-mapping>
> <filter-mapping>
> <filter-name>sitemesh</filter-name>
> <url-pattern>/*</url-pattern>
> </filter-mapping>
> <filter-mapping>
> <filter-name>lazyLoadingFilter</filter-name>
> <url-pattern>/*</url-pattern>
> </filter-mapping>
> <filter-mapping>
> <filter-name>struts-execute</filter-name>
> <url-pattern>/*</url-pattern>
> </filter-mapping>
>
> The problem is that the FileUploadInterceptor looks at the request and tries
> to cast it to the Struts2 wrapper MultiPartRequestWrapper. With the Spring
> Security filter where it is above, the Struts2 dispatcher wraps the request
> (when it detects multipart/form-data) but then Spring Security builds its
> own request wrapper class for the request. The FileUploadInterceptor
> doesn't think its a MultiPartRequest and doesn't populate the setters on
> your action.
>
> The answer is to put Spring Security first:
> <filter-mapping>
> <filter-name>securityFilter</filter-name>
> <url-pattern>/*</url-pattern>
> </filter-mapping>
> <filter-mapping>
> <filter-name>struts-prepare</filter-name>
> <url-pattern>/*</url-pattern>
> </filter-mapping>
> <filter-mapping>
> <filter-name>sitemesh</filter-name>
> <url-pattern>/*</url-pattern>
> </filter-mapping>
> <filter-mapping>
> <filter-name>lazyLoadingFilter</filter-name>
> <url-pattern>/*</url-pattern>
> </filter-mapping>
> <filter-mapping>
> <filter-name>struts-execute</filter-name>
> <url-pattern>/*</url-pattern>
> </filter-mapping>
>
> This way Spring Security does its thing and then Struts builds its wrapper
> after the user is authenticated. Knowing what I know now it seems obvious
> to put the Spring Security filter first, but I guess it wasn't that obvious
> to me originally. So maybe someone else will miss that as well and somehow
> google this post....
> --
> View this message in context: \
> http://www.nabble.com/Warning%3A--Spring-Security-and-FileUploadInterceptor-filter-order-tp21207025p21207025.html
> Sent from the Struts - User mailing list archive at Nabble.com.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic