CODEWITHSUNDEEP
javaspringspring-security
quarks
quarks

Reputation: 35276

Resource not being filtered by Spring security

I created this simple AdminController:

@Controller
@RequestMapping("admin")
public class AdminController {
    @PreAuthorize("hasAuthority('ROLE_ADMIN')")
    @RequestMapping(value = "/", method = RequestMethod.GET)
    public @ResponseBody String welcomeAdmin() {
        return "Spring Security - ROLE_ADMIN";
    }   
    @PreAuthorize("hasAuthority('ROLE_ADMIN')")
    @RequestMapping(value = "/{query}", method = RequestMethod.GET)
    public @ResponseBody String welcomeAdmin(@PathVariable String query) {
        return query;
    }
}

This is the security-context.xml:

<http auto-config="true">
    <intercept-url pattern="/admin*" access="ROLE_ADMIN"/>
    <logout logout-success-url="/admin" />
</http>

<authentication-manager>
    <authentication-provider>
        <user-service>
            <user name="user" password="password" authorities="ROLE_USER" />
            <user name="admin" password="password" authorities="ROLE_ADMIN" />
        </user-service>
    </authentication-provider>
</authentication-manager>

Which is loaded here in the web.xml:

<context-param>
    <param-name>contextConfigLocation</param-name>
    <param-value>
        /WEB-INF/spring/root-context.xml
        /WEB-INF/spring/appServlet/security-context.xml
    </param-value>
</context-param>
<filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
  <filter-name>springSecurityFilterChain</filter-name>
  <url-pattern>/*</url-pattern>
</filter-mapping>

There are no errors, but the /admin resource is accessible to anyone, why is it that the resource is not being filtered by the Spring security?

Upvotes: 1

Views: 289

Answers (2)

rptmat57
rptmat57

Reputation: 3787

what version of spring security are you using?

in your security-context.xml you need 

<global-method-security pre-post-annotations="enabled" >
</global-method-security>

in order to use annotations.

also you should try:

<intercept-url pattern="/admin*" access="hasRole('ROLE_ADMIN')"/>

Upvotes: 1

jddsantaella
jddsantaella

Reputation: 3687

I think that it is because of

<logout logout-success-url="/admin" />

According to that line, once a user logs out, that URL will be displayed. A logout page is not secure since it must be reachable by unauthenticated users. It could be overriding the first condition.

Upvotes: 3

Related Questions