I am using Spring security but i don't understand very well how intercept-url works. Here is my spring security config file :
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:jdbc="http://www.springframework.org/schema/jdbc"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.2.xsd
http://www.springframework.org/schema/jdbc
http://www.springframework.org/schema/jdbc/spring-jdbc-3.2.xsd">
<!-- configuration des urls -->
<security:http auto-config="true">
<security:intercept-url pattern="/*" access="ROLE_USER" />
<security:form-login/>
</security:http>
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider ref="authenticationProvider" />
</security:authentication-manager>
<bean id="authenticationProvider"
class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
<property name="userDetailsService" ref="userDetailsService" />
</bean>
<bean id="userDetailsService"
class="com.nexthome.app.security.UserDetailsServiceImpl" />
</beans>
With this configuration, i cannot access without being authenticated. So when accessing the url http://localhost:8080/nexthome
displays a spring login form (http://localhost:8080/nexthome/spring_security_login
).
But when i change the to . I am able to access to http://localhost:8080/nexthome/user/login
without login.
My aim is to protected some url :
http://localhost:8080/nexthome all people must access
http://localhost:8080/nexthome/login all people must access ( how to display spring login form when trying to access the url?)
http://localhost:8080/nexthome/logout access to ROLE_USER and ROLE_ADMIN
Thanks for your help
The pattern attribute on the security:intercept-url
tag uses Ant paths. Under this syntax .
has no meaning except for a literal .
. So the pattern is most likely not recognized by Spring security and ignored.
If you want to require authentication for the /nexthome/logout
url but not /nexthome/login
and /nexthome
you can use the following configuration:
<security:http auto-config="true">
<intercept-url pattern="/nexthome" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<intercept-url pattern="/nexthome/login" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<intercept-url pattern="/nexthome/logout" access="ROLE_USER,ROLE_ADMIN" />
<security:form-login/>
</security:http>
I've found the answer to my question :
<security:http auto-config="true">
<security:intercept-url pattern="/register"
access="IS_AUTHENTICATED_ANONYMOUSLY" />
<security:intercept-url pattern="/login*"
access="ROLE_USER" />
<security:intercept-url pattern="/logout*"
access="ROLE_USER,ROLE_ADMIN" />
<security:form-login/>
</security:http>
Now the url
http:localhost:8080/nexthome
is free access
http:localhost:8080/nexthome/regsiter
is free access
http:localhost:8080/nexthome/login
prompt the Spring Security login form before accessing the ressource
http:localhost:8080/nexthome/logout
prompt the Spring Security login form before accessing the ressource
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With