Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Spring security issue with 404 error?

greetings all, i am using spring security 3.0.2, urlRewrite 3.1.0 , and i have a problem with spring security that i have a rule that all the pages in the app requires authentication except for some pages so my security.xml is:

<http use-expressions="true" > 
<intercept-url pattern="/" access="permitAll" />
<intercept-url pattern="/error"  filter="none" />  
<intercept-url pattern="/**" access="isAuthenticated()" />
.
.
.</http>

in the web.xml i have defined the error page

<error-page>
   <error-code>404</error-code>
   <location>/p/error</location>
</error-page>

and the issue is that if i am not a logged in user, and typed some url that doesn't exist in the app like app/notFoundUrl the spring security matched this page to the pattern /** which requires authentication, so the user is not redirected to the error page as expected, but redirected to the login page and after it, redirected to the error page

and i want that if the user typed a bad url if he's logged in or not, he's redirected to the error page directly.

i think that the problem is related to the web.xml, here's it:

<?xml version="1.0" encoding="ISO-8859-1"?>
<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">

    <!-- Beans in these files will makeup the configuration of the root web application context -->
    <!-- Bootstraps the root web application context before servlet initialization-->
    <listener>
    <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
    </listener>

    <!-- Deploys the 'projects' dispatcher servlet whose configuration resides in /WEB-INF/servlet-config.xml-->
    <servlet>
        <servlet-name>p</servlet-name>
        <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
        <init-param>
            <param-name>contextConfigLocation</param-name>
            <param-value>
            /WEB-INF/servlet-config.xml         
            </param-value>
        </init-param>
    </servlet>

    <!-- Maps all /p URLs to the 'p' servlet -->
    <servlet-mapping>
        <servlet-name>p</servlet-name>
        <url-pattern>/p/*</url-pattern>
    </servlet-mapping>

   <error-page>
   <error-code>404</error-code>
   <location>/p/error</location>
   </error-page>


   <!-- force encoding on the requests -->
   <filter>
    <filter-name>encoding-filter</filter-name>
    <filter-class>org.springframework.web.filter.CharacterEncodingFilter</filter-class>
    <init-param>
      <param-name>encoding</param-name>
      <param-value>utf-8</param-value>
    </init-param>
    <init-param>
      <param-name>forceEncoding</param-name>
      <param-value>true</param-value>
    </init-param>
  </filter>
  <filter-mapping>
    <filter-name>encoding-filter</filter-name>
    <url-pattern>/*</url-pattern>
    <dispatcher>REQUEST</dispatcher>
    <dispatcher>FORWARD</dispatcher>
  </filter-mapping>

    <filter>
        <filter-name>springSecurityFilterChain</filter-name>
        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    </filter>
    <filter-mapping>
        <filter-name>springSecurityFilterChain</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>



   <filter>
    <filter-name>UrlRewriteFilter</filter-name>
    <filter-class>org.tuckey.web.filters.urlrewrite.UrlRewriteFilter</filter-class>

  </filter>
  <filter-mapping>
    <filter-name>UrlRewriteFilter</filter-name>
    <url-pattern>/*</url-pattern>
  </filter-mapping>





    <!-- Security -->
    <context-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>
      /WEB-INF/application-config.xml
      /WEB-INF/app-security.xml
      /WEB-INF/mvc-config.xml
    </param-value>
    </context-param>


    <session-config>
      <session-timeout>1</session-timeout> 
    </session-config>


</web-app>

any ideas how to solve this issue ?

like image 913
Mahmoud Saleh Avatar asked Nov 11 '10 10:11

Mahmoud Saleh


People also ask

Why does spring boot say 404 error?

We went through the two most common reasons for receiving a 404 response from our Spring application. The first was using an incorrect URI while making the request. The second was mapping the DispatcherServlet to the wrong url-pattern in web. xml.

What problems does Spring Security solve?

Spring Security is the primary choice for implementing application-level security in Spring applications. Generally, its purpose is to offer you a highly customizable way of implementing authentication, authorization, and protection against common attacks.


4 Answers

You have said:

i want that if the user typed a bad url if he's logged in or not, he's redirected to the error page directly

Spring security will intercept every request before it knows whether its url is valid or not, so a way to get it would be intercept all valid urls with some patterns, and add at the end a general pattern which could be accessed by anyone.

<intercept-url pattern="/" access="permitAll" />
<intercept-url pattern="/validUrl1Pattern"  access="permitAll" />  
<intercept-url pattern="/validUrl2Pattern"  access="permitAll" />  
<intercept-url pattern="/validUrl2Pattern"  access="permitAll" />  
...
<intercept-url pattern="/**" access="ROLE_ANONYMOUS" />

The problem of this configuration is that is probably difficult to find patterns for all the valid urls if your application is complex.

like image 170
Javi Avatar answered Oct 23 '22 12:10

Javi


Yep just add this:

<intercept-url pattern="/error/**" access="permitAll" />

That will make it so that anyone can get to all your error pages.

like image 45
Grant Cermak Avatar answered Oct 23 '22 13:10

Grant Cermak


when you set the attribute access="true", you tell spring-security to check if the user has the security attribute (which is normally a role) named "true" . I don't think that is your goal?

to bypass security, you may set filters="none" and skip the access attribute: <intercept-url pattern="/errorpage" filters="none" />

see documentation of <intercept-url>

like image 28
dube Avatar answered Oct 23 '22 13:10

dube


Add /error to your list of <intercept-url/> elements so that it doesn't require authentication in order to access it.

like image 36
Alex Marshall Avatar answered Oct 23 '22 14:10

Alex Marshall