-
Jul 1st, 2010, 08:17 AM
#1
Able To Include Parameters and Values in Security Pattern?
Hi,
I am attempting to use the Spring security pattern to intercept a URL that includes a particular parameter and value. Can someone tell me if what I am attempting is feasible and if so, what am I doing wrong please? Details as follows.
There are two types of user that can access the same page. However, each user is limited to one request value as shown below.
<security:intercept-url pattern="/**foo.htm?parameter=value1*" access="ROLE_USER1"/>
<security:intercept-url pattern="/**foo.htm?parameter=value2*" access="ROLE_USER2"/>
However, I am finding that the above configuration will not permit ROLE_USER1 to access a page with request:
...foo.htm?parameter=value1
I have tried a couple of variations, but neither of these worked either:
<security:intercept-url pattern="/**foo.htm\?parameter=value1*" access="ROLE_USER1"/>
<security:intercept-url pattern="/**foo.htm*parameter=value1*" access="ROLE_USER1"/>
Should I be able to filter on a parameter value and if so, what is the correct syntax?
Thank you.
Regards
Brett S
-
Jul 1st, 2010, 10:19 AM
#2
Query strings are stripped when using ant paths. You can switch to regular expression matching for more complicated matches.
-
Jul 2nd, 2010, 07:02 AM
#3
Hi Luke,
Thanks for your reply. I did as you suggested (after upgrading to version 3.03) and the following worked exactly as required:
<http auto-config="false" path-type="regex">
...
<intercept-url pattern="/.*foo\.htm\?parameter=value1.*" access="ROLE_USER1"/>
<intercept-url pattern="/.*foo\.htm\?parameter=value2.*" access="ROLE_USER2"/>
...
</http>
However, I now have a problem in a JSP where I am attempting to do this:
<sec:authorize access="hasRole('ROLE_USER1')">
USER1 stuff here...
</sec:authorize>
What happens is my environment throws this error:
javax.servlet.ServletException: javax.servlet.jsp.JspException: No visible WebSecurityExpressionHandler instance could be found in the application context. There must be at least one in order to support expressions in JSP 'authorize' tags.
org.apache.jasper.runtime.PageContextImpl.doHandle PageException(PageContextImpl.java:850)
The documentation states:
"The expression evaluation will be delegated to the WebSecurityExpressionHandler defined in the application context (you should have web expressions enabled in your <http> namespace configuration to make sure this service is available)."
However, I have been googling this and can't for the life of me figure out what I should put in the application context. Any suggestions?
Thank you
Regards
Brett S
-
Jul 2nd, 2010, 07:50 AM
#4
Setup your <http> configuration to use expression-based access attributes.
-
Jul 2nd, 2010, 12:51 PM
#5
Hey Luke,
That did the trick!
I added:
use-expressions="true" to my <http> markup.
An unexpected consequence was I had to change the access expressions from:
access="ROLE_USER1"
to:
access="hasRole('ROLE_USER1')"
So, I ended up with the following markup
<http auto-config="false" path-type="regex" use-expressions="true">
...
<intercept-url pattern="/.*foo\.htm\?parameter=value1.*" access="hasRole('ROLE_USER1')"/>
<intercept-url pattern="/.*foo\.htm\?parameter=value2.*" access="hasRole('ROLE_USER2')"/>
...
</http>
and now this JSP expression works too:
<sec:authorize access="hasRole('ROLE_USER1')">
USER1 stuff here...
</sec:authorize>
Thanks again Luke. No I can get some sleep.
Regards
Brett S
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
