Spring Security configuration issue with http basic : IllegalArgument

Question

I can't seem to figure out why this configuration gives an IllegalArgumentException. The error is:

Caused by: java.lang.IllegalArgumentException: A universal match pattern ('/**') is defined  before other patterns in the filter chain, causing them to be ignored. Please check the ordering in your <security:http> namespace or FilterChainProxy bean configuration

The configuration is:

    <!-- Disable Spring Security for static content -->
<http pattern="/css/**" security="none"/>
<http pattern="/js/**" security="none"/>

<!-- Web app security -->
<http use-expressions="true" authentication-manager-ref="pvDatabase">   
    <!-- Insecure endpoints -->
    <intercept-url pattern="/" access="permitAll"/>
    <intercept-url pattern="/spring/login" access="permitAll"/>
    <intercept-url pattern="/spring/loginfail" access="permitAll"/>
    <intercept-url pattern="/spring/loggedout" access="permitAll"/>     
    <intercept-url pattern="/insecure/**" access="permitAll"/>

    <!-- Secure endpoints -->               
    <intercept-url pattern="/secure/admin/**" access="hasAnyRole('ADMIN')"/>
    <intercept-url pattern="/spring/**" access="hasAnyRole('ADMIN', 'USER')"/>
    <intercept-url pattern="/secure/**" access="hasAnyRole('ADMIN', 'USER')"/>      

    <!-- Authentication Entrypoint is FORM-LOGIN -->
    <form-login login-page="/spring/login" 
        login-processing-url="/spring/login"
        authentication-failure-url="/spring/loginfail" 
        default-target-url="/spring/loginsuccess" 
        always-use-default-target="true" />
    <logout logout-url="/spring/logout" logout-success-url="/spring/loggedout" delete-cookies="JSESSIONID" invalidate-session="true"/>
    <csrf/>

    <!-- HTTP 403 Access denied custom handling -->
    <access-denied-handler ref="pvAccessDeniedHandler"/>
</http>

<!-- Web services security : this section generates an error -->
<http use-expressions="true" create-session="stateless" authentication-manager-ref="pvDatabase">
    <!-- Authentication Entrypoint is HTTP-BASIC -->
    <http-basic entry-point-ref="PVBasicAuthenticationEntryPoint"/>

    <!-- secure endpoints : web services -->
    <intercept-url pattern="/services/api/**" access="hasAnyRole('ADMIN', 'WEBSERVICES')"/>

    <!-- HTTP 403 Access denied custom handling -->
    <access-denied-handler ref="pvAccessDeniedHandler"/>
</http>

Security works well if I remove the entire Web Services security section, what I want is to be able to protect only the /services/api/** pattern with basic-auth, in addition restricting it to users with roles ADMIN and WEBSERVICES only.

I am not sure I understand the error as there is no other url pattern defined that is universal match, I don't have /** mapped anywhere.

My app consists of 2 Dispatcher servlets, the first is mapped to /spring/* and the second is mapped to /services/api/*. The Spring Security Filter Chain is mapped to /*

Answer 1

This error is because the http blocks are also considered in order and the default pattern for an http block is /**. Without having a pattern attribute on all but the last http block the other block will never be seen.

Adding pattern to the first http block should fix your problem. If pattern does not work, you can also use a custom instance of RequestMatcher with request-matcher-ref .