How to deal with /static resources and security
Hi,
I've got a design problem with spring security.
I'm building a web application with two areas, one public and one secured. Moreover, i've set up <session-management /> for the secured area to track session timeouts.
Static resources are intercepted with access="permitAll" because security won't work if the
/static/j_spring_security_* resources don't go through the security filter chain (am I wrong?).
The public area URL are intercepted with filters="none".
When when a static resource is requested from the public area, a new session is created!
Do you have any advice on how to deal with static resources involved in the security process and those which are not ?
Thanks
With spring-security-3.0.2
Code:<http auto-config="true" use-expressions="true" path-type="regex"> <form-login login-processing-url="/static/j_spring_security_check" login-page="/login" authentication-failure-url="/login?login_error=t" default-target-url="/after-login"/> <logout logout-url="/static/j_spring_security_logout" invalidate-session="true" logout-success-url="/login?logout_ok=t" /> <session-management invalid-session-url="/login?session_timeout=t" session-fixation-protection="none"/> <intercept-url pattern="/admin/.*" access="hasRole('ROLE_ADMIN')"/><!-- restricted area --> <intercept-url pattern="/after-login/.*" access="isAuthenticated()"/> <intercept-url pattern="/resources/.*" access="permitAll" /> <intercept-url pattern="/static/.*" access="permitAll" /> <intercept-url pattern="/login[^/].*$" filters="none"/> <intercept-url pattern="/[^\\p{Digit}]+/.*" filters="none" /><!-- public area --> <intercept-url pattern="/.*" filters="none" /> </http>
