ResourceUrlEncodingFilter in Spring 4.1.5.RELEASE with springSecurityFilterChain enabled

Question

im trying to implement resource versioning to make my static files (js and css) dynamically versioned by spring's VersionResourceResolver according to Spring's documentation i have my xml configuration:

<mvc:resources mapping="/css/**" location="/css/">
    <mvc:resource-chain resource-cache="true" auto-registration="true">
        <mvc:resolvers>
            <mvc:version-resolver>
                <mvc:content-version-strategy patterns="/**"/>
            </mvc:version-resolver>
        </mvc:resolvers>
    </mvc:resource-chain>
</mvc:resources>
<mvc:resources mapping="/js/**" location="/js/">
    <mvc:resource-chain resource-cache="true" auto-registration="true">
        <mvc:resolvers>
            <mvc:version-resolver>
                <mvc:content-version-strategy patterns="/**"/>
            </mvc:version-resolver>
        </mvc:resolvers>
    </mvc:resource-chain>
</mvc:resources>

that works quite well when i add the ResourceUrlEncodingFilter in my web.xml:

<filter>
    <filter-name>resourceUrlEncodingFilter</filter-name>
    <filter-class>org.springframework.web.servlet.resource.ResourceUrlEncodingFilter</filter-class>
    <init-param>
        <param-name>addMappingForUrlPatterns</param-name>
        <param-value>true</param-value>
    </init-param>
</filter>

<filter-mapping>
    <filter-name>resourceUrlEncodingFilter</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

the only thing is that it doesn't work when the springSecurityFilterChain is present on the web.xml, if i comment the line of springSecurityFilterChain the filter works perfectly, according to this post appears to be a bug solved on the 4.1.2 version, as specified here

that url's of static files are just completely ignored, the ResourceUrlEncodingFilter only call it's encodeURL() method when security its not enabled, any ideas of how to solve it? i assumed that the solution for that bug was added to the 4.1.5.RELEASE version.

Answer 1

The fact that your filter (ResourceUrlEncodingFilter) is only getting called when security is not enabled makes me believe that Spring Security is intercepting the calls to your static resources (and not letting them pass through to the filter). Please verify that your Spring Security configuration lets calls to static resources through.

Assuming that your 'css' and 'js' folders are under src/main/resources, you could do something like this:

(JavaConfig)

class SecurityConfig extends WebSecurityConfigurerAdapter {

    ...

    @Override
    public void configure(WebSecurity web) throws Exception {
        web.ignoring().antMatchers("/resources/**");
    }
    ...

}

(XML configuration)

...

<http security="none" pattern="/resources/**"/>

...