DelegatingFilterProxy should be aware of FrameworkServlet's WebApplicationContext [SPR-13191]

[spring-projects-issues]

Rob Winch opened SPR-13191 and commented

Status Quo

Currently Spring Security users are accustomed to configuring Spring Security in a root WAC (WebApplicationContext) and Spring MVC in the DispatcherServlet WAC.

This makes configuration unnecessarily complex in many situations (a parent / child context). For example, when users want to have method level security for a Spring MVC application it is unintuitive to them that they need to add a BeanPostProcessor to the DispatcherServlet WAC as well.

Proposal

To support a single WAC, it would be nice if DelegatingFilterProxy could fall back to looking in the DispatcherServlet WAC. This simplifies the configuration so that users don't need to specify the contextAttribute on the DelegatingFilterProxy which is difficult to remember the value for (i.e. org.springframework.web.servlet.FrameworkServlet.CONTEXT.dispatcher).

---

Referenced from: pull request #834, and commits 1fcd465

0 votes, 5 watchers

[spring-projects-issues]

Rob Winch commented

Tentatively marking as 4.2 so we can at least discuss before then

[spring-projects-issues]

Rossen Stoyanchev commented

robwinch i'm moving this to the 4.3 backlog since I don't have any more time for 4.2. Feel free to raise this again when you prototype something.

[spring-projects-issues]

Rob Winch commented

Rossen Stoyanchev I have created a pull request for this.

Juergen Hoeller Since Rossen is out is this something you think we can merge for 4.2 or do you think it needs to wait for Rossen's review? I'm going to tentatively reschedule again, but if you think we need to wait, please feel free to push it back again.

[spring-projects-issues]

Juergen Hoeller commented

As discussed on the team call, I've implemented this with a fallback to a single unique WebApplicationContext among the ServletContext attributes. This avoids the need for an extra attribute and covers the usual scenario.

Juergen