SpringSecurityFilterChain and Kerberos

amy

We are using SpringSecurityFilterChain as we have a number of custom filters.

We would like to upgrad to spring security 3.0.5,and use kerberos.

How do I specify the SpnegoEntryPoint when I use filter chain proxy?

I have only seen examples of the StandardNamespace.

The SpnegoProcessingFilter does NOT have any sort of setter for the SpnegoEntry point.

There is no namespace support specific for Kerberos. You will want to refer to Mike's blog on how to configure it.

I am trying to get this to work , by referring to Mike's Blog.

In his blog he uses the following tag in the spring-security.xml file.Code:
lt;sec:from entry-point-ref=quot;spnegoEntryPointquot;gt;     lt;sec:intercept-ucl pattern=quot;/secure/**quot; access=quot;IS_AUTHENTICATED_FULLYquot; /gt;     lt;sec:custom-filter ref=quot;spnegoAuthenticationProcessingFilterquot; position=quot;BASIC_PROCESSING_FILTERquot; /gt;  
lt;/sec:fromgt;

When we have lt;sec-from entry-point-ref=quot;spnegoEntryPointquot;gt; what is the equivalent of this line when I use the spring security filter chain.

Following is my FilterChain in my project.Code:lt;bean id=quot;springSecurityFilterChainquot; class=quot;org..security.util.FilterChainProxyquot;gt;   lt;security:filter-chain-map path-type=quot;antquot;gt;   lt;!-- WSDL - WSDLs are completely unprotected and opened, outside of security --gt;   lt;security:filter-chain pattern=quot;/webservices/*?wsdlquot; filters=quot;nonequot;/gt;           lt;security:filter-chain pattern=quot;/webservicesquot; filters=quot;nonequot;/gt;       lt;security:filter-chain pattern=quot;/webservices/quot; filters=quot;nonequot;/gt;          lt;!-- LoginWebServices - no authentication needed so that all users can access these services --gt;   lt;security:filter-chain pattern=quot;/webservices/LoginWebServices*quot;        filters=quot;fromSessionContextIntegrationFilter,logoutFilter,securityContextHolderAwareRequestFilterquot;/gt;      
lt;!-- Login point - to first attempt NTLM authentication --gt;       lt;security:filter-chain pattern=quot;/**/docfinity.jspquot;   filters=quot;fromSessionContextIntegrationFilter,logoutFilter,spnegoAuthenticationProcessingFilter,securityContextHolderAwareRequestFilter,rememberMeProcessingFilter,anonymousProcessingFilter,filterSecurityInterceptorquot;/gt;         lt;!-- Servlets - servlets are not tied to sessions because we use them for 3rd party integrations --gt;   lt;security:filter-chain pattern=quot;/servlet/**quot;    filters=quot;fromSessionContextIntegrationFilter,logoutFilter,authenticationProcessingFilter,docfinitySecurityFilter,securityContextHolderAwareRequestFilter,rememberMeProcessingFilter,anonymousProcessingFilter,authenticationExceptionTranslationFilter,filterSecurityInterceptorquot;/gt;      lt;security:filter-chain pattern=quot;/application/form.jsp*quot;       filters=quot;fromSessionContextIntegrationFilter,logoutFilter,formAuthenticationFilter,authenticationProcessingFilter,securityContextHolderAwareRequestFilter,anonymousProcessingFilter,authenticationExceptionTranslationFilter,filterSecurityInterceptorquot;/gt;   
lt;!-- Webservices - in general, we require basic DocFinity authentication for our webservices because you need a license to use them and without authentication,
a license cannot be granted. --gt;                    lt;security:filter-chain pattern=quot;/webservices/*webservices*quot;  filters=quot;fromSessionContextIntegrationFilter,logoutFilter,docfinitySecurityFilter,basicProcessingFilter,securityContextHolderAwareRequestFilter,rememberMeProcessingFilter,anonymousProcessingFilter,basicExceptionTranslationFilter,filterSecurityInterceptorquot;/gt;      lt;!-- All others - protect with DocFinity authentication --gt;          lt;security:filter-chain pattern=quot;/**quot;   filters=quot;fromSessionContextIntegrationFilter,logoutFilter,authenticationProcessingFilter,docfinitySecurityFilter,securityContextHolderAwareRequestFilter,rememberMeProcessingFilter,anonymousProcessingFilter,authenticationExceptionTranslationFilter,filterSecurityInterceptorquot;/gt;   lt;/security:filter-chain-mapgt;    lt;/beangt;The entry-point-ref configures a custom AuthenticationEntryPoint by setting it on the ExceptionTranslationFilter (search this blog for exceptionTranslationFilter for an example).