Able To Include Parameters and Values in Security Pattern?

Hi,

I am attempting to use the Spring security pattern to intercept a URL that includes a particular parameter and value. Can someone tell me if what I am attempting is feasible and if so, what am I doing wrong please? Details as follows.

There are two types of user that can access the same page. However, each user is limited to one request value as shown below.

<security:intercept-url pattern="/**foo.htm?parameter=value1*" access="ROLE_USER1"/>
<security:intercept-url pattern="/**foo.htm?parameter=value2*" access="ROLE_USER2"/>

However, I am finding that the above configuration will not permit ROLE_USER1 to access a page with request:
...foo.htm?parameter=value1

I have tried a couple of variations, but neither of these worked either:

<security:intercept-url pattern="/**foo.htm\?parameter=value1*" access="ROLE_USER1"/>
<security:intercept-url pattern="/**foo.htm*parameter=value1*" access="ROLE_USER1"/>

Should I be able to filter on a parameter value and if so, what is the correct syntax?

Thank you.

Regards

Brett S

Query strings are stripped when using ant paths. You can switch to regular expression matching for more complicated matches.

Hi Luke,

Thanks for your reply. I did as you suggested (after upgrading to version 3.03) and the following worked exactly as required:

<http auto-config="false" path-type="regex">
...
<intercept-url pattern="/.*foo\.htm\?parameter=value1.*" access="ROLE_USER1"/>
<intercept-url pattern="/.*foo\.htm\?parameter=value2.*" access="ROLE_USER2"/>
...
</http>


However, I now have a problem in a JSP where I am attempting to do this:

<sec:authorize access="hasRole('ROLE_USER1')">
USER1 stuff here...
</sec:authorize>

What happens is my environment throws this error:

javax.servlet.ServletException: javax.servlet.jsp.JspException: No visible WebSecurityExpressionHandler instance could be found in the application context. There must be at least one in order to support expressions in JSP 'authorize' tags.
org.apache.jasper.runtime.PageContextImpl.doHandle PageException(PageContextImpl.java:850)

The documentation states:
"The expression evaluation will be delegated to the WebSecurityExpressionHandler defined in the application context (you should have web expressions enabled in your <http> namespace configuration to make sure this service is available)."

However, I have been googling this and can't for the life of me figure out what I should put in the application context. Any suggestions?

Thank you

Regards

Brett S

Setup your <http> configuration to use expression-based access attributes.

Hey Luke,

That did the trick!

I added:
use-expressions="true" to my <http> markup.

An unexpected consequence was I had to change the access expressions from:
access="ROLE_USER1"
to:
access="hasRole('ROLE_USER1')"

So, I ended up with the following markup
<http auto-config="false" path-type="regex" use-expressions="true">
...
<intercept-url pattern="/.*foo\.htm\?parameter=value1.*" access="hasRole('ROLE_USER1')"/>
<intercept-url pattern="/.*foo\.htm\?parameter=value2.*" access="hasRole('ROLE_USER2')"/>
...
</http>

and now this JSP expression works too:
<sec:authorize access="hasRole('ROLE_USER1')">
USER1 stuff here...
</sec:authorize>

Thanks again Luke. No I can get some sleep.

Regards

Brett S