Recently Spring Security has given the opportunity to configure several <http>
elements. I'm trying to set a configuration for all the urls which maps the pattern /foo/* and another for the rest. Now I have two login pages one set in /login and the other in /foo login. So I want that all the urls which map /foo/** do the login against /foo/login.
I have created a configuration like the one below, but when I enter an url like /foo/something (which shouldn't be allowed to the anonymous user) instead of going to /foo/login it goes to /login.
The Spring Security version is 3.1.0.RC1. Any idea of what may be happening?
<sec:http auto-config="true" pattern="/foo/**" entry-point-ref="ajaxAuthenticationEntryPoint">
<sec:intercept-url pattern="/foo/login" access="ROLE_ANONYMOUS,ROLE_BASIC,ROLE_ADMIN" />
...
<!-- other sec:intercepts for some /foo/* urls -->
...
<sec:intercept-url pattern="/foo/**" access="ROLE_BASIC" />
<sec:custom-filter before="SECURITY_CONTEXT_FILTER" ref="basicProcessingFilter" />
<sec:form-login login-page="/foo/login" authentication-failure-url="/foo/login" default-target-url="/index" always-use-default-target="true" />
<sec:session-management>
<sec:concurrency-control max-sessions="1" error-if-maximum-exceeded="true" expired-url="/login" />
</sec:session-management>
</sec:http>
<sec:http auto-config="true" pattern="/**" entry-point-ref="ajaxAuthenticationEntryPoint">
<!-- some sec:intercepts for some urls -->
...
<sec:intercept-url pattern="/**" access="ROLE_ADMIN" />
<sec:custom-filter before="SECURITY_CONTEXT_FILTER" ref="basicProcessingFilter" />
<sec:form-login login-page="/login" default-target-url="/index" always-use-default-target="true" />
<sec:session-management>
<sec:concurrency-control max-sessions="1" error-if-maximum-exceeded="true" expired-url="/login" />
</sec:session-management>
</sec:http>
AuthenticationEntryPoint is used to send an HTTP response that requests credentials from a client. Sometimes a client will proactively include credentials such as a username/password to request a resource.
@EnableWebSecurity is used for spring security java configuration. Add this annotation with @configuration on top of your security java class that extends WebSecurityConfigurerAdapter . Override the configure(WebSecurity web) & configure(HttpSecurity http) .
The Spring Security @EnableWebSecurity annotation is annotated at class level with @Configuration annotation to enable web securities in our application defined by WebSecurityConfigurer implementations. The WebSecurityConfigurerAdapter is the implementation class of WebSecurityConfigurer interface.
A HttpSecurity is similar to Spring Security's XML <http> element in the namespace configuration. It allows configuring web based security for specific http requests. By default it will be applied to all requests, but can be restricted using requestMatcher(RequestMatcher) or other similar methods.
Just a guess. Could it be that the patterns are additive?
So the following annotation:
<sec:http auto-config="true" pattern="/foo/**" entry-point-ref="ajaxAuthenticationEntryPoint">
<sec:intercept-url pattern="/foo/**" access="ROLE_BASIC" />
</sec:http>
intercepts /foo/foo/**
. That will cause a foo/something
request to be intercepted by your second http definition, the one with pattern="/**"
The AuthenticationEntryPoint
is responsible for redirecting to the login page. You have injected a custom entry point which will override the login-page
attribute on your form-login
element.
Does ajaxAuthenticationEntryPoint
redirect to /login
?
Ideally, Spring Security should detect if you are attempting to use a custom entry point and a login-page
and report a warning.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With