Reputation: 320
cannot set Spring security for all url
I created a spring mvc application with spring security. I tried to set authentication for all url with spring security.
Springsecurity.xml
<http auto-config="true" use-expressions="true">
<intercept-url pattern="/**" access="hasRole('ROLE_ADMIN')" />
<!-- access denied page -->
<access-denied-handler error-page="/403" />
<form-login
login-page="/login"
default-target-url="/welcome"
authentication-failure-url="/login?error"
username-parameter="username"
password-parameter="password" />
<logout logout-success-url="/login?logout" />
<!-- enable csrf protection -->
<csrf />
</http>
<authentication-manager>
<authentication-provider user-service-ref="userDetailsService" >
<password-encoder hash="bcrypt" />
</authentication-provider>
</authentication-manager>
When I giving intercept-url to /** the page doesnot loading. It makes a timeout.
But when giving intercept-url to /admin it works perfectly. Why this happens?
Upvotes: 0
Views: 331
Answers (1)
Reputation: 28519
Your intercept pattern for all request is OK, but you need to include an exception for your login page, try adding
<http security="none" pattern="/login"/>
UPDATE with respect to the comment
The approach above completely switches off Spring security for the given URL. As you're using CSFR, it means that spring security filter should attend to this URL as well, but not for the sake of the authentication, rather for the sake of including the unpredictable token that can secure from session fixation attacks. In any case, here's a way to process the URL with spring security, without prompting for authentication. Instead of using the above, use the following
<intercept-url pattern="/login" access="isAnonymous()"/>
inside the
<http auto-config="true" use-expressions="true">
<intercept-url pattern="/login" access="isAnonymous()"/>
<intercept-url pattern="/**" access="hasRole('ROLE_ADMIN')" />
...
Upvotes: 2
Related Questions
- How to disable spring security for particular url
- Spring Security configuration: HTTP 403 error
- spring boot security not configured properly
- Failed to disable Spring Security filter chain for some URLs
- Spring Security Not applied with my Urls
- Spring Security Url Pattern is not working
- Failing to exclude some URLs from Spring Security protection
- spring security ignores authentication-failure-url
- How to secure URLs using Spring security?
- Setting up Spring Security: Invalid content was found starting with element 'security:http'