intercept-url not working for me

[vikas_chess]

please find below my security configuration:

Code:

<?xml version="1.0" encoding="UTF-8"?>

<beans:beans xmlns="http://www.springframework.org/schema/security"
    xmlns:beans="http://www.springframework.org/schema/beans"
    xmlns:util="http://www.springframework.org/schema/util"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xmlns:context="http://www.springframework.org/schema/context"
	xmlns:tx="http://www.springframework.org/schema/tx"
    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
    					http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.0.xsd
    					http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-3.0.xsd
                        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd
						http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-3.0.xsd
						http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop-3.0.xsd">


	<global-method-security secured-annotations="enabled" jsr250-annotations="enabled" pre-post-annotations="enabled" />

    <http use-expressions="true">     	     

        <intercept-url pattern="${root}/vikas/login.htm" access="hasAnyRole('ROLE_USER', 'ROLE_ADMIN')" />
        <intercept-url pattern="${root}/vikas/admin.htm" access="hasRole(ROLE_ADMIN)" />
        <intercept-url pattern="${root}/vikas/css/**" access="hasRole(ROLE_ADMIN)" />

		<form-login login-processing-url="/j_spring_security_check" login-page="/jsp/login.jsp" authentication-failure-url="/jsp/login.jsp?login_error=true"/>
        <logout logout-url="/j_spring_security_logout" logout-success-url="/"/>

		<remember-me key="myAppKey" token-validity-seconds="864000" />
    </http>
    
    <authentication-manager>
    	<authentication-provider>
    		<jdbc-user-service data-source-ref="myDataSource" users-by-username-query="select USER_NAME as username, PASSWORD, true from USER where USER_NAME = ? and STATUS='Active'"/>
    	</authentication-provider>
    </authentication-manager>

</beans:beans>

in the above code, i was expecting /admin.htm and css page can only be access by ROLE_ADMIN user. but its accessible to every one.

please tell me, where am going wrong? thank you.

[pmularien]

Missing single quotes around ROLE_ADMIN in the SpEL expressions?

[vikas_chess]

thank you pmularien, for pointing out one of the mistake. but still i am able to access admin page without admin rights.

following change i did:

Code:

        <intercept-url pattern="${root}/vikas/login.htm" access="hasAnyRole('ROLE_USER', 'ROLE_ADMIN')" />
        <intercept-url pattern="${root}/vikas/admin.htm" access="hasRole('ROLE_ADMIN')" />
        <intercept-url pattern="${root}/vikas/css/**" access="hasRole('ROLE_ADMIN')" />

please tell me, what else is wrong in it.

[Rob Winch]

What is the value of ${root}? Also if you did not experience an exception with the invalid configuration, did you ensure to setup your web.xml with a ContextLoaderListener ensuring to import your spring config and a springSecurityFilterChain?

[pmularien]

Also please post what version of Spr Sec you are using.

[vikas_chess]

${root} is the contextual root. currently, its value is http://localhost:8080 . previously, i tried with relative url as well. but none works.

and there is no exception shown on the server.

my web.xml has ContextLoaderListener and springSecurityFilterChain, as shown below:

Code:

<?xml version="1.0" encoding="UTF-8"?>
<web-app id="WebApp_ID" version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
	<display-name>myworld</display-name>

	<servlet>
		<servlet-name>dispatcher</servlet-name>
		<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
		<init-param>
			<param-name>contextConfigLocation</param-name>
			<param-value/>
		</init-param>
	</servlet>

	<servlet-mapping>
		<servlet-name>dispatcher</servlet-name>
		<url-pattern>*.htm</url-pattern>
	</servlet-mapping>

	<context-param>
		<param-name>contextConfigLocation</param-name>
		<param-value>
			/WEB-INF/config/myworld-config.xml
		</param-value>
	</context-param>

    <filter>
        <filter-name>springSecurityFilterChain</filter-name>
        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    </filter>

	<filter-mapping>
        <filter-name>springSecurityFilterChain</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>

	<listener>
		<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
	</listener>

	<welcome-file-list>
		<welcome-file>index.jsp</welcome-file>
	</welcome-file-list>
</web-app>

[vikas_chess]

i am using spring security 3.0

[Rob Winch]

What is the name of your spring config you posted?

[Luke Taylor]

Look at the debug log. It explicitly tells you the URLs it is attempting to match and whether or not each pattern matches, and it will detail the requests progress through the filter chain. They shouldn't include the context path.

[vikas_chess]

rwinch,

my spring config name is myworld-security.xml

also, login, logout, and remember-me functionalities are working fine in my application.

i would like to inform you that, there is no filename as admin.htm instead i am using @RequestMapping("admin.htm") annotation in the AdminController class. then this class is returning admin tile view.

Luke Taylor, i didnt enabled my logging yet. i have to learn how to do that.