Menu
I have searched here, google and springsource for this and could not find a solution that worked for me. I have the below spring-security.xml and when I use the pattern
<intercept-url pattern="/**" access="hasRole('ROLE_USER')" />
This gives me a 404 error when it redirects to the login page. But this does not happen if I use
<intercept-url pattern="/index*" access="hasRole('ROLE_USER')" />
But obviously this does not secure the rest of the app.
I'm sure this is something simple I am overlooking but the closest thing I could find was this stack overflow question, Which I have already incorperated in my xml file below but still have the same issue. I have tried this without use-expressions="true" and I have tried switching the intercept-url's around (I'm not 100% but I am fairly sure that the /** pattern should be the last one as I believe urls are matched in the same order as declared)
Any advice/help would be great
spring-security.xml
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.0.3.xsd">
<http auto-config="true" use-expressions="true">
<intercept-url pattern="/login" filters="none" access="permitAll" />
<intercept-url pattern="/**" access="hasRole('ROLE_USER')" />
<form-login login-page="/login" default-target-url="/welcome"
authentication-failure-url="/loginfailed" />
<logout logout-success-url="/logout" />
</http>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="username" password="password" authorities="ROLE_USER" />
</user-service>
</authentication-provider>
</authentication-manager>
</beans:beans>
Just in case it is a factor I'm using Spring and Spring security 3.0.4.RELEASE
Following Kris's advice I changed
<intercept-url pattern="/login" filters="none" access="permitAll" />
to:
<intercept-url pattern="/login" access="IS_AUTHENTICATED_ANONYMOUSLY" />
This caused a 500 Error due to the exception
SpelEvaluationException: EL1008E:(pos 0): Field or property
'IS_AUTHENTICATED_ANONYMOUSLY' cannot be found on object of
type'org.springframework.security.web.access.expression.WebSecurityExpressionRoot
I solved this by changing the IS_AUTHENTICATED_ANONYMOUSLY to isAnonymous()
<intercept-url pattern="/login" access="isAnonymous()" />
737
Adds an AnonymousAuthenticationFilter to the stack and an AnonymousAuthenticationProvider. Required if you are using the IS_AUTHENTICATED_ANONYMOUSLY attribute.
spring secuirty
or use isAnonymous() instead.
59
For completeness, here's the real reason this requires a change to isAnonymous().
The <http> element has an attribute use-expressions which defaults to true. In the default situation, you are required then to use "security expressions" instead of role names. If you wish to use only role names in access= declarations, you need to turn off expressions with
<http use-expressions="false"> ... </http>
Change this <intercept-url pattern="/login" filters="none" access="permitAll" />
to
<intercept-url pattern="/login" access="IS_AUTHENTICATED_ANONYMOUSLY" />
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
