Reputation: 12730
Spring Security oddity in <intercept-url> when specifying method
I've been playing around with Spring Security a bit and noticed the following oddity.
When I specify the <http> block like this in my security context XML.
<http>
<http-basic/>
<port-mappings>
<port-mapping http="8080" https="8181"/>
</port-mappings>
<intercept-url pattern="/url1**" access="ROLE_ROLE1" requires-channel="https"/>
<intercept-url pattern="/url2**" access="ROLE_ROLE2"/>
<intercept-url pattern="/url3**" access="ROLE_ROLE3" />
<!-- <intercept-url pattern="/**" access="ROLE_ADMIN" />
</http>
All the urls seem to trigger a HTTP basic authentication pop up when I hit the various URLs with the browser.
This is good and what I expected, but when I add a method parameter to 1 of the intercept URLs like this:
<http>
<http-basic/>
<port-mappings>
<port-mapping http="8080" https="8181"/>
</port-mappings>
<intercept-url pattern="/url1**" access="ROLE_ROLE1" requires-channel="https"/>
<intercept-url pattern="/url2**" access="ROLE_ROLE2" method="GET"/>
<intercept-url pattern="/url3**" access="ROLE_ROLE3" />
<!-- <intercept-url pattern="/**" access="ROLE_ADMIN" />
</http>
The basic authentication is turned off for all the URLs except the one I've explicitly set the method on (/url2).
Is this how it's supposed to work, because it seems a little goofy to me. Is this a bug?
Upvotes: 0
Views: 5964
Answers (1)
Reputation: 7480
Now I have tested url1 with https and it works. I got redirected and then the login dialog showed up.
Setting logging level to DEBUG it prints:
DEBUG DefaultFilterInvocationDefinitionSource,http-8443-1:196 - Converted URL to lowercase, from: '/url1/'; to: '/url1/'
DEBUG DefaultFilterInvocationDefinitionSource,http-8443-1:224 - Candidate is: '/url1/'; pattern is /url2**; matched=false
DEBUG DefaultFilterInvocationDefinitionSource,http-8443-1:224 - Candidate is: '/url1/'; pattern is /url1**; matched=true
DEBUG AbstractSecurityInterceptor,http-8443-1:250 - Secure object: FilterInvocation: URL: /url1/; ConfigAttributes: [ROLE_USER]
DEBUG XmlWebApplicationContext,http-8443-1:244 - Publishing event in context [org.springframework.web.context.support.XmlWebApplicationContext@17af46e]: org.springframework.security.event.authorization.AuthenticationCredentialsNotFoundEvent[source=FilterInvocation: URL: /url1/]
DEBUG ExceptionTranslationFilter,http-8443-1:150 - Authentication exception occurred; redirecting to authentication entry point
This is the configuration:
<http>
<http-basic/>
<port-mappings>
<port-mapping http="8080" https="8443"/>
</port-mappings>
<intercept-url pattern="/url1**" access="ROLE_USER" requires-channel="https"/>
<intercept-url pattern="/url2**" access="ROLE_TELLER" method="GET"/>
<intercept-url pattern="/url3**" access="ROLE_SUPERVISOR" />
</http>
Upvotes: 2
Related Questions
- Using intercept-url in Spring security
- Spring Security Intercept-url pattern not working
- Why Doesn't Intercept Url Work?
- Unable to use intercept-url while using Spring Security
- How exactly works the Spring Security intercept-url's?
- Why in Spring Security I need the intercept-url?
- spring security intercept-url access
- Spring Security intercept url appears to be skipped/ignored
- Spring security not working when adding a second url-intercept
- spring security intercept-url is not working for me