any takers for this Q??? On Thu, Jul 15, 2010 at 1:38 PM, Ashish Jain <ashja...@gmail.com> wrote:
> Hi, > > I have an application which uses non interactive login and hence utilizes > NONLogin Authenticator in tomcat. Here is a snippet from web.xml. > > <context-param> > <param-name>contextConfigLocation</param-name> > <param-value>/WEB-INF/applicationContext-security.xml</param-value> > </context-param> > > <filter> > <filter-name>springSecurityFilterChain</filter-name> > > <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> > </filter> > > <filter-mapping> > <filter-name>springSecurityFilterChain</filter-name> > <url-pattern>/*</url-pattern> > </filter-mapping> > > <listener> > > <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class> > </listener> > > <login-config> > <auth-method>NONE</auth-method> > <realm-name>cas-authorize</realm-name> > </login-config> > > <security-constraint> > <web-resource-collection> > <web-resource-name>Protect JSPs</web-resource-name> > <url-pattern>*.jsp</url-pattern> > </web-resource-collection> > <auth-constraint> > <role-name>testUsers</role-name> > </auth-constraint> > </security-constraint> > > <security-role> > <role-name>testUsers</role-name> > </security-role> > > however I see that container security is invoked before any spring related > stuff. Since it is a Non interactive login Subject is not populated with any > principals > and hence tomcat is unable to authorize the access to resource. My Question > is > > How can I revert the security mechanism so that Spring security is invoked > before tomcat security. > > Thanks > Ashish >