CODEWITHSUNDEEP
springspring-security
Javi
Javi

Reputation: 19779

Multiple <http> elements in Spring security

Recently Spring Security has given the opportunity to configure several <http> elements. I'm trying to set a configuration for all the urls which maps the pattern /foo/* and another for the rest. Now I have two login pages one set in /login and the other in /foo login. So I want that all the urls which map /foo/** do the login against /foo/login.

I have created a configuration like the one below, but when I enter an url like /foo/something (which shouldn't be allowed to the anonymous user) instead of going to /foo/login it goes to /login.

The Spring Security version is 3.1.0.RC1. Any idea of what may be happening?

<sec:http auto-config="true" pattern="/foo/**" entry-point-ref="ajaxAuthenticationEntryPoint">
    <sec:intercept-url pattern="/foo/login" access="ROLE_ANONYMOUS,ROLE_BASIC,ROLE_ADMIN" />
    ...
    <!-- other sec:intercepts for some /foo/* urls -->
    ...
    <sec:intercept-url pattern="/foo/**" access="ROLE_BASIC" />
    
    <sec:custom-filter before="SECURITY_CONTEXT_FILTER" ref="basicProcessingFilter" />
    
    <sec:form-login login-page="/foo/login" authentication-failure-url="/foo/login" default-target-url="/index" always-use-default-target="true" />
    
    <sec:session-management>
        <sec:concurrency-control max-sessions="1" error-if-maximum-exceeded="true" expired-url="/login" />
    </sec:session-management>
</sec:http>

<sec:http auto-config="true" pattern="/**" entry-point-ref="ajaxAuthenticationEntryPoint">
    <!-- some sec:intercepts for some urls -->
    ...
    
    <sec:intercept-url pattern="/**" access="ROLE_ADMIN" />
    
    <sec:custom-filter before="SECURITY_CONTEXT_FILTER" ref="basicProcessingFilter" />
    
    <sec:form-login login-page="/login" default-target-url="/index" always-use-default-target="true" />
            
    <sec:session-management>
        <sec:concurrency-control max-sessions="1" error-if-maximum-exceeded="true" expired-url="/login" />
    </sec:session-management>
</sec:http>

Upvotes: 8

Views: 9947

Answers (3)

Shaun the Sheep
Shaun the Sheep

Reputation: 22742

The AuthenticationEntryPoint is responsible for redirecting to the login page. You have injected a custom entry point which will override the login-page attribute on your form-login element.

Does ajaxAuthenticationEntryPoint redirect to /login?

Ideally, Spring Security should detect if you are attempting to use a custom entry point and a login-page and report a warning.

Upvotes: 1

WhiteKnight
WhiteKnight

Reputation: 5056

Using the pattern attribute in the http element causes Spring Security 3.1 to apply that pattern to the URL before reading the rest of the inner elements, so if it doesn't match then it will ignore all the inner elements and continue to the next http element.

Does something in your log in page for /foo/login reference a resource that is covered by the /** pattern?

Upvotes: 0

Javier Ferrero
Javier Ferrero

Reputation: 8811

Just a guess. Could it be that the patterns are additive?

So the following annotation:

<sec:http auto-config="true" pattern="/foo/**" entry-point-ref="ajaxAuthenticationEntryPoint">
    <sec:intercept-url pattern="/foo/**" access="ROLE_BASIC" />
</sec:http>

intercepts /foo/foo/**. That will cause a foo/something request to be intercepted by your second http definition, the one with pattern="/**"

Upvotes: 2

Related Questions