How to use intercept-url pattern and access?

Question

I am using Spring security but i don't understand very well how intercept-url works. Here is my spring security config file :

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:security="http://www.springframework.org/schema/security"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:jdbc="http://www.springframework.org/schema/jdbc"
    xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.2.xsd
http://www.springframework.org/schema/jdbc
http://www.springframework.org/schema/jdbc/spring-jdbc-3.2.xsd">

    <!-- configuration des urls  -->
    <security:http auto-config="true">
        <security:intercept-url pattern="/*" access="ROLE_USER" />
        <security:form-login/>
    </security:http>


    <security:authentication-manager alias="authenticationManager">
        <security:authentication-provider ref="authenticationProvider" />
    </security:authentication-manager>

    <bean id="authenticationProvider"
       class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
        <property name="userDetailsService" ref="userDetailsService" />
    </bean>

    <bean id="userDetailsService"
        class="com.nexthome.app.security.UserDetailsServiceImpl" />


</beans>

With this configuration, i cannot access without being authenticated. So when accessing the url http://localhost:8080/nexthome displays a spring login form (http://localhost:8080/nexthome/spring_security_login). But when i change the to . I am able to access to http://localhost:8080/nexthome/user/login without login.

My aim is to protected some url :

http://localhost:8080/nexthome  all people must access
http://localhost:8080/nexthome/login  all people must access ( how to display spring login form when trying to access the url?)
http://localhost:8080/nexthome/logout  access to ROLE_USER and ROLE_ADMIN

Thanks for your help

Answer 1

The pattern attribute on the security:intercept-url tag uses Ant paths. Under this syntax . has no meaning except for a literal .. So the pattern is most likely not recognized by Spring security and ignored.

If you want to require authentication for the /nexthome/logout url but not /nexthome/login and /nexthome you can use the following configuration:

<security:http auto-config="true">
    <intercept-url pattern="/nexthome" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
    <intercept-url pattern="/nexthome/login" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
    <intercept-url pattern="/nexthome/logout" access="ROLE_USER,ROLE_ADMIN" />
    <security:form-login/>
</security:http>

Answer 2

I've found the answer to my question :

<security:http auto-config="true">
        <security:intercept-url pattern="/register"
            access="IS_AUTHENTICATED_ANONYMOUSLY" />
        <security:intercept-url pattern="/login*"
            access="ROLE_USER" />
        <security:intercept-url pattern="/logout*"
            access="ROLE_USER,ROLE_ADMIN" />
        <security:form-login/>
 </security:http>

Now the url
http:localhost:8080/nexthome is free access
http:localhost:8080/nexthome/regsiter is free access
http:localhost:8080/nexthome/login prompt the Spring Security login form before accessing the ressource
http:localhost:8080/nexthome/logout prompt the Spring Security login form before accessing the ressource