Problem with intercept-patterns and REST

**mschipperheyn** · Feb 6th, 2013, 08:25 AM

Hi,

I have a problem with users being able to access pages that they shouldn't

Example mapping that should only be accessed by editors:

PHP Code:


@Controller

@RequestMapping("/*/??_??/account/{groupType}")

public class GroupController{



    @RequestMapping(method = RequestMethod.GET, value = "/add")

        public String addGroup(

                ModelMap model,

                NativeWebRequest request){

[...]

in case groupType equals "page" only an editor can access this page. When it's "other", all users can access it.

PHP Code:


<http use-expressions="true" entry-point-ref="myAuthenticationProcessingFilterEntryPoint" >

    <intercept-url pattern="/*/*/account/page/add/" access="hasRole('ROLE_EDITOR')" />

    <intercept-url pattern="/*/*/account/**" access="isAuthenticated()" />

    [...]

(in my case myAuthenticationProcessingFilterEntryPoint extends LoginUrlAuthenticationEntryPoint

I have a few examples here with 3 urls that should all be denied access.

urls
* /xyz/NL_nl/account/page/add/ => access denied to non-editors OK
* /xyz/NL_nl/account/page/add => access approved to non-editors FAIL
* /xyz/NL_nl/account/page/add.html => access approved to non-editors FAIL

PHP Code:


<http use-expressions="true" entry-point-ref="myAuthenticationProcessingFilterEntryPoint" >

    <intercept-url pattern="/*/*/account/page/add*" access="hasRole('ROLE_EDITOR')" />

    <intercept-url pattern="/*/*/account/**" access="isAuthenticated()" />

    [...]

urls
* /xyz/NL_nl/account/page/add/ => access approved to non-editors FAIL
* /xyz/NL_nl/account/page/add => access denied to non-editors OK
* /xyz/NL_nl/account/page/add.html => access denied to non-editors OK

PHP Code:


<http use-expressions="true" entry-point-ref="myAuthenticationProcessingFilterEntryPoint" >

    <intercept-url pattern="/*/*/account/page/add**" access="hasRole('ROLE_EDITOR')" />

    <intercept-url pattern="/*/*/account/**" access="isAuthenticated()" />

    [...]

urls
* /xyz/NL_nl/account/page/add/ => access approved to non-editors FAIL
* /xyz/NL_nl/account/page/add => access denied to non-editors OK
* /xyz/NL_nl/account/page/add.html => access denied to non-editors OK

I have two questions:
* How can I implement the pattern in such a way that all 3 url options deny access.
* why doesn't spring security handle the issue of trailing slash/*.html by default? It seems very easy to make a dangerous mistake here. Spring automatically processes *.html extension and your webserver may automatically add a trailing slash, or not.

**Rob Winch** · Feb 6th, 2013, 09:05 AM

Spring Security only does what you tell it to do and nothing more. It does not make assumptions about your underlying stack (i.e. just because Spring MVC allows different extensions doesn't matter since you might be using Spring Security with another framework). In general, * means anything within this folder and ** means any number of folders. You can learn more and see some examples on the Spring Security Fundamentals presentation around 24 min in.

In short, I believe you are looking for /*/*/account/page/add*/**. You can also declare multiple intercept-url elements to match on each of your patterns individually.

**mschipperheyn** · Feb 6th, 2013, 12:32 PM

Thanks that did the trick.

Thread: Problem with intercept-patterns and REST

Thread Tools

Display

Problem with intercept-patterns and REST

Posting Permissions