Results 1 to 5 of 5

Thread: [intercept-url method attribute] not work with put and delete

  1. Mar 2nd, 2012, 09:49 AM #1
    Javaspritz
    Javaspritz is offline Junior Member
    Join Date
    Jul 2010
    Posts
    8

    Default [intercept-url method attribute] not work with put and delete

    Hi all,

    for first sorry for my english.

    I'm using spring-security 3.1 into a Spring3 web application but I can't intercept URL with PUT or DELETE method.

    I'm using the httpMethodFilter (works fine with controller classes) and placed it before the springSecurityFilterChain in web.xml

    example
    Code:
    <security:intercept-url pattern="/user/*" access="hasAnyRole('ROLE_USER_WRITE')" method="DELETE"/>
    Logged user don't have ROLE_USER_WRITE (only ROLE_USER_READ) but the delete method is not intercepted!!!
    If i change the code with

    Code:
    <security:intercept-url pattern="/user/*" access="hasAnyRole('ROLE_USER_WRITE')" method="POST"/>
    It works fine.

    It seems don't recognize PUT and DELETE verb but only GET and POST.
    I can change my URLs but I prefer to find a RESTful solution.

    Thanks in advance.
    Reply With Quote Reply With Quote
  2. Mar 2nd, 2012, 06:53 PM #2
    Rob Winch
    Rob Winch is offline Senior Member Spring Team
    Join Date
    Jan 2008
    Posts
    1,826

    Default

    Are you using HiddenHttpMethodFilter to emulate DELETE and PUT? If so the filter-mapping needs to be before the springSecurityFilterChain.
    Rob Winch - @rob_winch
    Spring Security Lead
    Pivotal
    Reply With Quote Reply With Quote
  3. Mar 3rd, 2012, 03:11 AM #3
    Javaspritz
    Javaspritz is offline Junior Member
    Join Date
    Jul 2010
    Posts
    8

    Default

    I noticed that if I set the HttpMethodFilter like this

    <filter>
    <filter-name>httpMethodFilter</filter-name>
    <filter-class>org.springframework.web.filter.HiddenHttpMet hodFilter</filter-class>
    </filter>

    <filter-mapping>
    <filter-name>httpMethodFilter</filter-name>
    <servlet-name>dispatcher</servlet-name>
    </filter-mapping>
    doesn't work!

    Instead:
    <filter>
    <filter-name>httpMethodFilter</filter-name>
    <filter-class>org.springframework.web.filter.HiddenHttpMet hodFilter</filter-class>
    </filter>

    <filter-mapping>
    <filter-name>httpMethodFilter</filter-name>
    <url-pattern>/*</url-pattern>
    </filter-mapping>
    Finally works!

    Is it maybe because the Spring Security Filter works BEFORE che Dispatcher Servlet?

    In the first case the flow I think will be:
    1) Spring security Filter
    2) Http Method Filter
    3) Dispatcher Servlet

    Mapping HttpMethodFilter with "/*" (instead on Dispatcher servlet) and placing BEFORE Spring Security Filter in Web.xml the flow is

    1) Http Method Filter
    2) Spring security Filter
    3) Dispatcher Servlet

    Do you think is right?!
    Reply With Quote Reply With Quote
  4. Mar 3rd, 2012, 11:22 AM #4
    Rob Winch
    Rob Winch is offline Senior Member Spring Team
    Join Date
    Jan 2008
    Posts
    1,826

    Default

    Quote Originally Posted by Javaspritz View Post
    Do you think is right?!
    Yes. This is what I was recommending in my previous post.
    Rob Winch - @rob_winch
    Spring Security Lead
    Pivotal
    Reply With Quote Reply With Quote
  5. Mar 4th, 2012, 05:18 AM #5
    Javaspritz
    Javaspritz is offline Junior Member
    Join Date
    Jul 2010
    Posts
    8

    Default

    Ok, sorry.

    I didn't understand.
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules