Reputation: 3664
spring security intercept url roles
In the spring security intercept-url config, if I define a particular role for a particular path, say ROLE_USER, that path should be accessible only if the user has that authority. That makes sense, but if I set the role as ROLE_ANONYMOUS, <intercept-url pattern="/resources/**" access="ROLE_ANONYMOUS"/> shouldn't it be accessible even when the user is authenticated, say when the user has an authority ROLE_USER? But that doesn't happen.
Here is the log
Checking match of request : '/resources/js/test.js'; against '/resources/**'
Secure object: FilterInvocation: URL: /resources/js/test.js; Attributes: [ROLE_ANONYMOUS]
Previously Authenticated: org.springframework.security.authentication.UsernamePasswordAuthenticationToken***********************************************
Voter: org.springframework.security.access.vote.RoleVoter@1712310, returned: -1
And then i get an access denied exception.I know it works fine if i add <intercept-url pattern="/resources/**" access="ROLE_ANONYMOUS,ROLE_USER"/> in my Http config. But in the above case, is it meant to be like that or am I doing something wrong.
Upvotes: 2
Views: 21124
Answers (2)
Reputation: 2254
If I remember correctly : no, a resource protected with only access="ROLE_ANONYMOUS" should not be accessible for authenticated users in your case. You have to explicitly tell spring to allow users with "ROLE_USER" to access it. Depending on the version you are using, maybe you should consider using expression-based access control. This way you could make a resource accessible to everyone by just using : access="permitAll()" which IMHO is simpler.
Upvotes: 2
Reputation: 28045
It's the right way to write:
<intercept-url pattern="/resources/**" access="ROLE_ANONYMOUS,ROLE_USER"/>
You can check the official reference manual chapter about annonymous authentication where you'll see following configuration:
<bean id="filterSecurityInterceptor"
class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor">
<property name="authenticationManager" ref="authenticationManager"/>
<property name="accessDecisionManager" ref="httpRequestAccessDecisionManager"/>
<property name="securityMetadata">
<security:filter-security-metadata-source>
<security:intercept-url pattern='/index.jsp' access='ROLE_ANONYMOUS,ROLE_USER'/>
<security:intercept-url pattern='/hello.htm' access='ROLE_ANONYMOUS,ROLE_USER'/>
<security:intercept-url pattern='/logoff.jsp' access='ROLE_ANONYMOUS,ROLE_USER'/>
<security:intercept-url pattern='/login.jsp' access='ROLE_ANONYMOUS,ROLE_USER'/>
<security:intercept-url pattern='/**' access='ROLE_USER'/>
</security:filter-security-metadata-source>" +
</property>
</bean>
Your understanding of ROLE_ANONYMOUS and ROLE_USER is a bit wrong, read more about them in this answer by Luke Taylor, one of Spring Security's devs.
Upvotes: 2
Related Questions
- Spring Security Limiting URL access by roles
- Spring security role-based URL
- How to integrate Spring Security for Role based url/method access
- spring security intercept-url access
- Spring security intercept-url with combined multiple roles
- Reject access to specific URLs for all the ROLEs in Spring Security
- Spring Security intercept url appears to be skipped/ignored
- How can I determine what roles are required to access a URL with Spring Security?
- Spring Security 3.1 intercept urls
- Intercept-url for all_user and role_user