Spring security 3 and Url Rewrite

**__dev18** · Sep 21st, 2010, 06:27 AM

Originally Posted by bennyn

I use version 3.2. With your configuration the Login works now!
I had to change the form action url in my login.jsp from:

To:

The only things which are not working yet is the "Logout" and my JavaScripts and CSS from my JSPs.

Before using REST I always did the logout with the following url: http://localhost:8080/ksw/j_spring_security_logout
But this is not possible anymore. I always get the warning:

Things which I have linked in my JSPs with:

Do also give a warning, e.g.:

My urlrewrite.xml is now:

P.S. If we get the things work, then I will write an entry in my blog so that nobody else pulls his/her hair out.

Because you use version 3.2, you need to add attribute last="true" to those rules for Spring security.

Js folder in your webconent cannot be accessed, because you need to add rule for that in your urlrewrite.xml, just like you need to add every other static folder (for example css files folder) in your webcontent folder.

This is what your urlrewrite.xml should look like

Code:

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE urlrewrite PUBLIC "-//tuckey.org//DTD UrlRewrite 3.2//EN"
"http://tuckey.org/res/dtds/urlrewrite3.2.dtd">
<urlrewrite default-match-type="wildcard">

	<!-- Access to js folder in webcontent -->
	<rule>
	<from>/js**</from>
	<to last="true">/js$1</to>
	</rule>
	<!-- End Access to js folder in webcontent -->
	
	<!-- Spring Security Servelts -->
	<rule>
	<from>/j_spring_security_check**</from>
	<to last="true">/j_spring_security_check$1</to>
	</rule>
	
	<rule>
	<from>/j_spring_security_logout**</from>
	<to last="true">/j_spring_security_logout$1</to>
	</rule>
	<!-- End Spring Security Servelts -->
	
	<!-- Spring Framework -->
	<rule>
	<from>/**</from>
	<to>/app/$1</to>
	</rule>
	<outbound-rule>
	<from>/app/**</from>
	<to>/$1</to>
	</outbound-rule>
	<!-- End Spring Framework -->
	
</urlrewrite>

**bennyn** · Sep 21st, 2010, 07:13 AM

You are fantastic! Logout seems to work now.

My urlrewrite.xml is:

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE urlrewrite PUBLIC "-//tuckey.org//DTD UrlRewrite 3.2//EN"
"http://tuckey.org/res/dtds/urlrewrite3.2.dtd">
<urlrewrite default-match-type="wildcard">


<rule>
<from>/js**</from>
<to last="true">/js$1</to>
</rule>
<rule>
<from>/images**</from>
<to last="true">/images$1</to>
</rule>


<rule>
<from>/j_spring_security_check**</from>
<to last="true">/j_spring_security_check$1</to>
</rule>
<rule>
<from>/j_spring_security_logout**</from>
<to last="true">/j_spring_security_logout$1</to>
</rule>


<rule>
<from>/**</from>
<to>/app/$1</to>
</rule>
<outbound-rule>
<from>/app/**</from>
<to>/$1</to>
</outbound-rule>
</urlrewrite>

To secure http://localhost:8080/ksw/page I have to write this in my applicationContext-security.xml:

<intercept-url pattern="/app/page" access="ROLE_USER" />

If I access http://localhost:8080/ksw/page then, my login-page comes up and if I login successfully I get a 404 error because the login-page want's to redirect me to http://localhost:8080/ksw/app/page after the login.
If I strip off the "/app" in my intercept-url pattern then the site http://localhost:8080/ksw/page isn't secured by Spring Security (no display of login-page for anonymous users).

This is the last sign I have to solve to get my application working with REST. Thank you vey much for your help and your patience.

**bennyn** · Sep 21st, 2010, 11:38 AM

Today I played a bit around with securing my webpages. If want to access http://localhost:8080/ksw/page then Spring Security blocks me and wants me to login (yeah!). After a successful login, Spring Security redirects me to http://localhost:8080/ksw/app/page with status code 200, so the page is ok and can be seen. :-) The only problem I have with it is that the URL is http://localhost:8080/ksw/app/page and not http://localhost:8080/ksw/page.

My controller:

Code:

@RequestMapping("/page")
{ ... }

My applicationContext-security.xml:

Code:

<intercept-url pattern="/app/page" access="ROLE_USER" />

My urlrewrite.xml is:

Code:

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE urlrewrite PUBLIC "-//tuckey.org//DTD UrlRewrite 3.2//EN"
"http://tuckey.org/res/dtds/urlrewrite3.2.dtd">
<urlrewrite default-match-type="wildcard">

	<!-- Static Web Content -->
	<rule>
		<from>/js**</from>
		<to last="true">/js$1</to>
	</rule>
	<rule>
		<from>/images**</from>
		<to last="true">/images$1</to>
	</rule>

	<!-- Spring Security -->
	<rule>
		<from>/j_spring_security_check**</from>
		<to last="true">/j_spring_security_check$1</to>
	</rule>
	<rule>
		<from>/j_spring_security_logout**</from>
		<to last="true">/j_spring_security_logout$1</to>
	</rule>
	
	<!-- Secured Web Pages -->
	<rule>
		<from>/app/page**</from>
		<to>/page$1</to>
	</rule>

	<!-- Spring Web MVC -->
	<rule>
		<from>/**</from>
		<to>/app/$1</to>
	</rule>
	<outbound-rule>
		<from>/app/**</from>
		<to>/$1</to>
	</outbound-rule>
</urlrewrite>

Do I need an extra outbound-rule for "/app/page"? I tried different constellations but nothing has helped.

**__dev18** · Sep 21st, 2010, 02:45 PM

Originally Posted by bennyn

Today I played a bit around with securing my webpages. If want to access http://localhost:8080/ksw/page then Spring Security blocks me and wants me to login (yeah!). After a successful login, Spring Security redirects me to http://localhost:8080/ksw/app/page with status code 200, so the page is ok and can be seen. :-) The only problem I have with it is that the URL is http://localhost:8080/ksw/app/page and not http://localhost:8080/ksw/page.

My controller:

Code:

@RequestMapping("/page")
{ ... }

My applicationContext-security.xml:

Code:

<intercept-url pattern="/app/page" access="ROLE_USER" />

My urlrewrite.xml is:

Code:

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE urlrewrite PUBLIC "-//tuckey.org//DTD UrlRewrite 3.2//EN"
"http://tuckey.org/res/dtds/urlrewrite3.2.dtd">
<urlrewrite default-match-type="wildcard">

	<!-- Static Web Content -->
	<rule>
		<from>/js**</from>
		<to last="true">/js$1</to>
	</rule>
	<rule>
		<from>/images**</from>
		<to last="true">/images$1</to>
	</rule>

	<!-- Spring Security -->
	<rule>
		<from>/j_spring_security_check**</from>
		<to last="true">/j_spring_security_check$1</to>
	</rule>
	<rule>
		<from>/j_spring_security_logout**</from>
		<to last="true">/j_spring_security_logout$1</to>
	</rule>
	
	<!-- Secured Web Pages -->
	<rule>
		<from>/app/page**</from>
		<to>/page$1</to>
	</rule>

	<!-- Spring Web MVC -->
	<rule>
		<from>/**</from>
		<to>/app/$1</to>
	</rule>
	<outbound-rule>
		<from>/app/**</from>
		<to>/$1</to>
	</outbound-rule>
</urlrewrite>

Do I need an extra outbound-rule for "/app/page"? I tried different constellations but nothing has helped.

What is your default-target-url in applicationContext-security.xml?

**bennyn** · Sep 21st, 2010, 03:14 PM

I have not set any default-target url. I had it before but then Spring Security redirected me to the default-target url everytime I logged in. But I want that the user stays on the page where the login was needed for.

My <http> configuration is just:

**knkpchari** · Sep 22nd, 2010, 06:57 AM

Hi,

The URL authentication done by Spring Security is very much impressive and good to implement. Now i am implementing the ACLs for method level security.

I want to known can we do the ethod level security without touching the screen or code just using some implemented classes as we are doing in case of the URL. If it is possible please tell me.

I saw the example of contacts given by spring security for ACL implementations and in this we have to use the tags in JSP page and also some changes in the controller. I am having a project with 1500 screens which i cant change for authorization.

So kindly suggest me what is the best way to do?

Thanks

Thread: Spring security 3 and Url Rewrite

Thread Tools

Display

Method Level Security

Tags for this Thread

Posting Permissions