CODEWITHSUNDEEP
spring-security
bolei
bolei

Reputation: 166

spring security filter chain url pattern matching

I'm new to Spring security. Now I'm reading its documentation. I have a question regarding to its filter chain url patterns:

As explained in the document:

it's possible to use multiple http elements to define different security configurations for different URL patterns. Each element creates a filter chain within the internal FilterChainProxy and the URL pattern that should be mapped to it. The elements will be added in the order they are declared, so the most specific patterns must again be declared first.

it also gives an example:

  <!-- Stateless RESTful service using Basic authentication -->
  <http pattern="/restful/**" create-session="stateless">
    <intercept-url pattern='/**' access='ROLE_REMOTE' />
    <http-basic />
  </http>

what I don't understand is: A URL pattern "/restful/**" is already configured for the http tag, it means all request matching this pattern will be handled by the filter chain inside this http tag. However why it gives a "match all" pattern: "/**" to the intercept-url tag?

Isn't it duplicated?

Also, if really want to give another pattern, isn't "/restful/**" better? Cause "/**" will match URLs that will not match "/restful/**" and thus not be handled by this filter chain.

Upvotes: 0

Views: 4816

Answers (1)

Spiff
Spiff

Reputation: 2286

  1. Without the <intercept-url> tag within <http>, this declaration basically says that anyone can access any resource under the /restful/** path. The <intercept-url> here restricts access to users who have been assigned the ROLE_REMOTE role, which is quite different.

  2. <intercept-url> patterns are relative to the enclosing <http> element pattern, so nothing outside the /restful/** path will be intercepted by this declaration.

The typical pattern is that you will have one <http> element with several <intercept-url> elements within targeting different URL patterns. Additional <http> elements can be useful when you want authentication and access control to behave differently, for example session management or authentication failure handlers for REST API endpoints.

Upvotes: 1

Related Questions