CODEWITHSUNDEEP
javaxmlspringsecurityspring-security
user2430147
user2430147

Reputation: 299

Spring Security xml configuration with multiple HTTP elements. authentication not working as expected

I have an xml file for configuring Spring Security. I have multiple HTTP elements in the file as I want to configure different headers for different sets of pages. It works as expected for setting the headers. However, the authentication is not working as I would have expected.

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
             xmlns:beans="http://www.springframework.org/schema/beans"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             xsi:schemaLocation="http://www.springframework.org/schema/beans
        https://www.springframework.org/schema/beans/spring-beans-3.0.xsd
        http://www.springframework.org/schema/security
        https://www.springframework.org/schema/security/spring-security.xsd">

    <http pattern="/B.html">
        <headers >
            <frame-options disabled="true"></frame-options>
        </headers>
        <http-basic />
        <intercept-url pattern="*" access="permitAll" />
    </http>


    <http pattern="/**">
        <intercept-url pattern="/**" access="isAuthenticated()" />
        <http-basic />
    </http>
.
.
.
</beans:beans>

In this example, I want requests to "B.html" to not have the X-FRAME-OPTIONS header and to not require authentication, but all other requests to have the default security headers and to require authentication.

The header part of it works as expected, but requests to "B.html" require authentication.

As far as I can tell, each "HTTP" element is causing the creation of an AuthorizationFilter, with its own RequestMatcherDelegatingAuthorizationManager.

When the request to "B.html" is processed, all of the AuthrizationFilter instances are processed, which results in the request requiring authentication.

Putting <intercept-url pattern="/B.html" access="permitAll" /> in the second HTTP section does allow this to work, but it means duplicating things.

Is there a better way to achieve this? Would using the authorization-manager-ref attribute be appropriate? If so, are there any examples?

Thanks,

Carl

Upvotes: 0

Views: 26

Answers (0)

Related Questions