Hi,
I have an application which uses non interactive login and hence utilizes
NONLogin Authenticator in tomcat. Here is a snippet from web.xml.
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/applicationContext-security.xml</param-value>
</context-param>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<login-config>
<auth-method>NONE</auth-method>
<realm-name>cas-authorize</realm-name>
</login-config>
<security-constraint>
<web-resource-collection>
<web-resource-name>Protect JSPs</web-resource-name>
<url-pattern>*.jsp</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>testUsers</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<role-name>testUsers</role-name>
</security-role>
however I see that container security is invoked before any spring related
stuff. Since it is a Non interactive login Subject is not populated with any
principals
and hence tomcat is unable to authorize the access to resource. My Question
is
How can I revert the security mechanism so that Spring security is invoked
before tomcat security.
Thanks
Ashish
