Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Multiple <http> elements in Spring security

Recently Spring Security has given the opportunity to configure several <http> elements. I'm trying to set a configuration for all the urls which maps the pattern /foo/* and another for the rest. Now I have two login pages one set in /login and the other in /foo login. So I want that all the urls which map /foo/** do the login against /foo/login.

I have created a configuration like the one below, but when I enter an url like /foo/something (which shouldn't be allowed to the anonymous user) instead of going to /foo/login it goes to /login.

The Spring Security version is 3.1.0.RC1. Any idea of what may be happening?

<sec:http auto-config="true" pattern="/foo/**" entry-point-ref="ajaxAuthenticationEntryPoint">
    <sec:intercept-url pattern="/foo/login" access="ROLE_ANONYMOUS,ROLE_BASIC,ROLE_ADMIN" />
    ...
    <!-- other sec:intercepts for some /foo/* urls -->
    ...
    <sec:intercept-url pattern="/foo/**" access="ROLE_BASIC" />
    
    <sec:custom-filter before="SECURITY_CONTEXT_FILTER" ref="basicProcessingFilter" />
    
    <sec:form-login login-page="/foo/login" authentication-failure-url="/foo/login" default-target-url="/index" always-use-default-target="true" />
    
    <sec:session-management>
        <sec:concurrency-control max-sessions="1" error-if-maximum-exceeded="true" expired-url="/login" />
    </sec:session-management>
</sec:http>

<sec:http auto-config="true" pattern="/**" entry-point-ref="ajaxAuthenticationEntryPoint">
    <!-- some sec:intercepts for some urls -->
    ...
    
    <sec:intercept-url pattern="/**" access="ROLE_ADMIN" />
    
    <sec:custom-filter before="SECURITY_CONTEXT_FILTER" ref="basicProcessingFilter" />
    
    <sec:form-login login-page="/login" default-target-url="/index" always-use-default-target="true" />
            
    <sec:session-management>
        <sec:concurrency-control max-sessions="1" error-if-maximum-exceeded="true" expired-url="/login" />
    </sec:session-management>
</sec:http>
like image 880
Javi Avatar asked Jun 02 '11 09:06

Javi


People also ask

What is the use of AuthenticationEntryPoint in Spring Security?

AuthenticationEntryPoint is used to send an HTTP response that requests credentials from a client. Sometimes a client will proactively include credentials such as a username/password to request a resource.

What does EnableWebSecurity annotation do?

@EnableWebSecurity is used for spring security java configuration. Add this annotation with @configuration on top of your security java class that extends WebSecurityConfigurerAdapter . Override the configure(WebSecurity web) & configure(HttpSecurity http) .

What is @EnableWebSecurity in spring boot?

The Spring Security @EnableWebSecurity annotation is annotated at class level with @Configuration annotation to enable web securities in our application defined by WebSecurityConfigurer implementations. The WebSecurityConfigurerAdapter is the implementation class of WebSecurityConfigurer interface.

What is HTTP security in Spring Security?

A HttpSecurity is similar to Spring Security's XML <http> element in the namespace configuration. It allows configuring web based security for specific http requests. By default it will be applied to all requests, but can be restricted using requestMatcher(RequestMatcher) or other similar methods.


2 Answers

Just a guess. Could it be that the patterns are additive?

So the following annotation:

<sec:http auto-config="true" pattern="/foo/**" entry-point-ref="ajaxAuthenticationEntryPoint">
    <sec:intercept-url pattern="/foo/**" access="ROLE_BASIC" />
</sec:http>

intercepts /foo/foo/**. That will cause a foo/something request to be intercepted by your second http definition, the one with pattern="/**"

like image 165
Javier Ferrero Avatar answered Oct 05 '22 06:10

Javier Ferrero


The AuthenticationEntryPoint is responsible for redirecting to the login page. You have injected a custom entry point which will override the login-page attribute on your form-login element.

Does ajaxAuthenticationEntryPoint redirect to /login?

Ideally, Spring Security should detect if you are attempting to use a custom entry point and a login-page and report a warning.

like image 38
Shaun the Sheep Avatar answered Oct 05 '22 06:10

Shaun the Sheep