Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Spring Security <http> and <intercept-url> pattern attributes

Tags:

spring-security

spring-security-oauth2

I have seen Spring Security OAuth2 samples has this defined in the spring-servlet.xml,

   <http pattern="/users/**" create-session="never" entry-point-ref="oauthAuthenticationEntryPoint"
      access-decision-manager-ref="accessDecisionManager" xmlns="http://www.springframework.org/schema/security">
    <anonymous enabled="false" />
    <intercept-url pattern="/photos" access="ROLE_USER,SCOPE_READ" />
    <intercept-url pattern="/photos/trusted/**" access="ROLE_CLIENT,SCOPE_TRUST" />
    <intercept-url pattern="/photos/user/**" access="ROLE_USER,SCOPE_TRUST" />
    <intercept-url pattern="/photos/**" access="ROLE_USER,SCOPE_READ" />
    <custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
    <access-denied-handler ref="oauthAccessDeniedHandler" />
</http>

Is the pattern attribute in http tag valid? I could not find its definition in the spring-security-2.0.1.xsd. If it is valid, what is the relationship of this pattern with intercept-url's pattern attribute? Take for example, does the intercept path /photos/user/** has the final matching interception path of /users/photos/user/**? Thanks.

like image 841
thlim Avatar asked Jan 09 '23 16:01

thlim

2 Answers

The pattern attribute was introduced in 3.1 which introduced namespace support for multiple filter chains. Spring Security 2 is very out of date (you shouldn't be using it).

The patterns in the intercept-url elements are independent, in that they are matched against the incoming request URI in the same way as the filter chain http pattern is checked. However if the latter doesn't match, the filter chain won't be applied to the request at all, so in order to have any effect, they must be consistent with the filter chain pattern.

For the example you've posted, this would mean that none of the /photos patterns have any effect. They should all have the prefix that the main filter chain matches - i.e. they should begin with /users/photos.

like image 170
Shaun the Sheep Avatar answered Jan 12 '23 04:01

Shaun the Sheep

In the case of spring security 4, Role is checked by haseRole('ADMIN'), Just try it.

It works fine for me.

like image 26
jins varghese Avatar answered Jan 12 '23 06:01

jins varghese
Sign in to Comment

Related questions

What is the use case for overriding default login-processing-url in spring security
How to authenticate against Active Directory via LDAP over TLS?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!