Sunday, January 27, 2013

Using Spring Security in OSGi without WAB

This is actually inspired by another post that use Apache CXF in OSGi (but I couldn't find the link now).

Apache CXF D-OSGi, you can add a propety to the OSGi service so that it will use the filter (ServletFilter)

    <osgi:service ref="searchRS" interface="">       
            <entry key="service.exported.interfaces" value="*" />
            <entry key="service.exported.configs" value="" />
            <entry key="" value="/search" />
            <entry key="org.apache.cxf.httpservice.requirefilter" value="true" />
               <entry key="">
                       <ref bean="jsonProvider" />


    <osgi:service ref="customFilterChain" interface="javax.servlet.Filter">
            <entry key="org.apache.cxf.httpservice.filter" value="true" />
            <entry key="servletNames" value="none" />

With this, the customFilterChain will be used everytime when /search has been accessed.

To setup the filter chain,

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns=""

    <bean id="customSecurityFilter" class=""/>

    <bean id="requestContextFilter" class="org.springframework.web.filter.RequestContextFilter"/>
    <!-- disable url rewrite, change session key -->
    <bean id="httpSessionSecurityContextRepository" class="" />
    <bean id="springSecurityFilter" class="" >
        <constructor-arg ref="httpSessionSecurityContextRepository" />
        <property name="forceEagerSessionCreation" value="false" />
    <bean id="basicAuthenticationFilter" class="" >
        <constructor-arg ref="customAuthenticationManager" />
    <bean id="http403ForbiddenEntryPoint" class=""/>
    <bean id="exceptionTranslationFilter" class="">
        <constructor-arg ref="http403ForbiddenEntryPoint" /> <!-- can redirect to https here -->
    <bean id="sessionManagementFilter" class="">
        <constructor-arg ref="httpSessionSecurityContextRepository"/>
        <constructor-arg ref="sessionFixationProtectionStrategy" />
    <bean id="sessionFixationProtectionStrategy" class="">
        <property name="migrateSessionAttributes" value="true"/>

    <bean id="customFilterChain" class="">
        <security:filter-chain-map request-matcher="ant">
            <security:filter-chain pattern="/osgi/auth/**" filters="springSecurityFilter,requestContextFilter,basicAuthenticationFilter,sessionManagementFilter,exceptionTranslationFilter"/>
            <security:filter-chain pattern="/**" filters="springSecurityFilter,requestContextFilter,customSecurityFilter,exceptionTranslationFilter"/>

note that we have our own AuthenticationProvider and only /auth will perform Basic Authentication Filter.

After we've migrated to Resteasy, we're still keeping the filter chain, and instead of registering to OSGi and let Apache CXF handles it, we registered to the WebContainer directly (see my other post about Resteasy & Pax Web).


  1. I'm obtaining an error using your sample configuration in my application:

    Attribute 'bean' is not allowed to appear in element 'ref'.

    It is very strange. It is related with line:

    Can you provide me some help?

    Thank you!

  2. Where is "jsonProvider" defined? I have changed the line:


    to achieve parsing the file, but anyway I need to get this bean defined.

  3. I have noticed that my previous comments didn't have proper lines:

    I write both again without symbols:

    ref bean="jsonProvider"

    ref component-id="jsonProvider"