intercept-url not working when filter='none'
Hi,
I have defined several intercept-url patterns that use filters='none' since I want to
remove any filters from being applied (example '/test/**'). One of these URL's sub files should be protected, so I defined the URL ('test/protected') and the access control. Since order is important I define the more specific one first, as shown in the example below. However at run time '/test/**' is always matched.
I attached a debugger to see what was going on and I looked at the logs.Code:<http auto-config="true"> <intercept-url pattern="/images/**" filters="none"/> <intercept-url pattern="/styles/**" filters="none"/> <intercept-url pattern="/resources/**" filters="none"/> <intercept-url pattern="/test/protected" access="ROLE_USER, ROLE_ADMIN"/> <intercept-url pattern="/test/**" filters="none"/> <intercept-url pattern="/logged-out" filters="none" /> <intercept-url pattern="/" filters="none" /> <intercept-url pattern="/manage/**" access="ROLE_USER, ROLE_ADMIN"/> <logout logout-success-url="/logged-out" logout-url="/logout"/> </http>
URL patterns dealing with access control are handled by FilterSecurityInterceptor/DefaultFilterInvocationSecurityMetadataSource, while those dealing with which filters to use are handled by 'FilterChainProxy'. FilterChainProxy runs first and if the request URL matches any of the patterns with filter='none' then no further processing happens. My URL '/test/protected' would be processed by 'DefaultFilterInvocationSecurityMetadataSource' but FilterChainProxy never passes it down.
Is this a bug in how the <http> namespace is interpreted? I would expect 'test/protected' to show up in the 'FilterChainProxy' with the same filters as '/**'.
I am using Spring Security 3.0.5.
Code:2011-07-21 09:39:04,065 DEBUG: org.springframework.security.web.FilterChainProxy - Converted URL to lowercase, from: '/test/protected'; to: '/test/protected' 2011-07-21 09:39:04,065 DEBUG: org.springframework.security.web.FilterChainProxy - Candidate is: '/test/protected'; pattern is /images/**; matched=false 2011-07-21 09:39:04,065 DEBUG: org.springframework.security.web.FilterChainProxy - Converted URL to lowercase, from: '/test/protected'; to: '/test/protected' 2011-07-21 09:39:04,066 DEBUG: org.springframework.security.web.FilterChainProxy - Candidate is: '/test/protected'; pattern is /styles/**; matched=false 2011-07-21 09:39:04,066 DEBUG: org.springframework.security.web.FilterChainProxy - Converted URL to lowercase, from: '/test/protected'; to: '/test/protected' 2011-07-21 09:39:04,066 DEBUG: org.springframework.security.web.FilterChainProxy - Candidate is: '/test/protected'; pattern is /resources/**; matched=false 2011-07-21 09:39:04,066 DEBUG: org.springframework.security.web.FilterChainProxy - Converted URL to lowercase, from: '/test/protected'; to: '/test/protected' 2011-07-21 09:39:04,066 DEBUG: org.springframework.security.web.FilterChainProxy - Candidate is: '/test/protected'; pattern is /test/**; matched=true 2011-07-21 09:39:04,066 DEBUG: org.springframework.security.web.FilterChainProxy - /test/protected has an empty filter list
Reply With Quote
