Tuesday, September 30, 2014

Spring Security Filter Chain Registration Using WebApplicationInitializer for Servlet 3.x

Starting from Servlet 3.x Specification some code saving features have been introduced such as XML less annotation based Servlet and Filter registration. In conjunction with this Spring has introduced WebApplicationInitializer interface which allows the registration of Servlet and Filters using Java instead of using web.xml file.

This is neat feature because this will eliminate the need for the XML files required in the Spring MVC based web applications. Since most of the Spring Application Context configurations are also directing towards Java Config, Moving to would be ideal;

I read the documentation of the Spring WebApplicationInitializer and was able to register both DispatcherServlet and DelegatingFilterProxy in using it. So the following web.xml tags;

<context-param>
    <param-name>contextClass</param-name>
    <param-value>org.springframework.web.context.support.AnnotationConfigWebApplicationContext</param-value>
  </context-param>
  <context-param>
      <param-name>contextConfigLocation</param-name>
      <param-value>com.lkbotics.visualizer.config.AppConfig</param-value>
  </context-param>
  <listener>
    <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
  </listener>
  <filter>
      <filter-name>springSecurityFilterChain</filter-name>
      <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
      <async-supported>true</async-supported>
  </filter>
  <filter-mapping>
      <filter-name>springSecurityFilterChain</filter-name>
      <url-pattern>/*</url-pattern>
  </filter-mapping>
  <filter>
      <filter-name>eTagFilter</filter-name>
      <filter-class>org.springframework.web.filter.ShallowEtagHeaderFilter</filter-class>
      <async-supported>true</async-supported>
  </filter>
  <filter-mapping>
      <filter-name>eTagFilter</filter-name>
      <url-pattern>/*</url-pattern>
  </filter-mapping>
  <servlet>
    <servlet-name>appServlet</servlet-name>
    <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
    <init-param>
        <param-name>contextClass</param-name>
        <param-value>org.springframework.web.context.support.AnnotationConfigWebApplicationContext</param-value>
    </init-param>
    <init-param>
        <param-name>contextConfigLocation</param-name>
          <param-value>com.lkbotics.visualizer.web.config.MvcConfig</param-value>
    </init-param>
    <load-on-startup>1</load-on-startup>
    <async-supported>true</async-supported>
  </servlet>
  <servlet-mapping>
    <servlet-name>appServlet</servlet-name>
    <url-pattern>/</url-pattern>
  </servlet-mapping>

Can effectively be replaced by the following implementation of WebApplicationInitializer

import javax.servlet.FilterRegistration;
import javax.servlet.ServletContext;
import javax.servlet.ServletException;
import javax.servlet.ServletRegistration;

import org.springframework.web.WebApplicationInitializer;
import org.springframework.web.context.ContextLoaderListener;
import org.springframework.web.context.support.AnnotationConfigWebApplicationContext;
import org.springframework.web.filter.DelegatingFilterProxy;
import org.springframework.web.filter.ShallowEtagHeaderFilter;
import org.springframework.web.servlet.DispatcherServlet;

import com.lkbotics.visualizer.config.AppConfig;
import com.lkbotics.visualizer.web.config.MvcConfig;

public class CustomWebApplicationInitializer implements WebApplicationInitializer {

    @Override
    public void onStartup(ServletContext container) throws ServletException {
        AnnotationConfigWebApplicationContext rootContext = new AnnotationConfigWebApplicationContext();
        rootContext.register(AppConfig.class);
        
        container.addListener(new ContextLoaderListener(rootContext));
        
        AnnotationConfigWebApplicationContext dispatcherContext = new AnnotationConfigWebApplicationContext();
        dispatcherContext.register(MvcConfig.class);
        
        FilterRegistration.Dynamic springSecurityFilterChain = container.addFilter("springSecurityFilterChain", new DelegatingFilterProxy());
        springSecurityFilterChain.addMappingForUrlPatterns(null, false, "/*");
        springSecurityFilterChain.setAsyncSupported(true);
        
        FilterRegistration.Dynamic shallowETagFilter = container.addFilter("shallowETagFilter", new ShallowEtagHeaderFilter());
        shallowETagFilter.addMappingForUrlPatterns(null, true, "/*");
        shallowETagFilter.setAsyncSupported(true);
        
        ServletRegistration.Dynamic dispatcher = container.addServlet("servletDispatcher", new DispatcherServlet(dispatcherContext));
        dispatcher.setLoadOnStartup(1);
        dispatcher.setAsyncSupported(true);
        dispatcher.addMapping("/");        
    }

}

As usual Spring Security requirements apply, There must be FilterChainProxy bean registered with the name springSecurityFilterChain or custom bean name must be passed in while instantiating the DelegatingFilterProxy inside WebApplicationInitializer.

Caveats [1]

web.xml versioning

WEB-INF/web.xml and WebApplicationInitializer use are not mutually exclusive; for example, web.xml can register one servlet, and a WebApplicationInitializer can register another. An initializer can even modify registrations performed in web.xml through methods such as ServletContext#getServletRegistration(String). However, if WEB-INF/web.xml is present in the application, its version attribute must be set to "3.0" or greater, otherwise ServletContainerInitializer bootstrapping will be ignored by the servlet container.


References
  1. WebApplicationInitializer
  2. FilterRegistration.Dynamic