Announcement Announcement Module
No announcement yet.
Why can't I unsecure /** URL pattern with filters="none" ? Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Why can't I unsecure /** URL pattern with filters="none" ?

    This is what I'm doing:

    <security:intercept-url pattern="/**" filters="none" />

    My configuration doesn't contain any more intercept-url definitions.

    However after accessing any URL I still get redirected to the default entry point...

    I debugged the spring security source and I can actually see the the filters being loaded for the URL I'm trying to access. (FilterChainProxy line: 154, the filters list is full)

    Any insight into why this happens ?

    I can't find any documentations on this and it looks intuitive that if no filters are loaded for other URL patterns no filters would be loaded for /** also.

    I'm using 3.0.5.RELEASE

    Last edited by ayld; Jun 2nd, 2011, 10:22 AM. Reason: formatting

  • #2
    Actually I can't find any way to unsecure /**

    <security:intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />

    Also redirects me to the default entry point.
    Last edited by ayld; Jun 2nd, 2011, 10:27 AM. Reason: more details


    • #3
      When using the namespace, the filter stack it creates it creates is automatically applied to the "/**" pattern. Using filters="none" is a way of opting out particular URLs by creating an empty filter chain in the FilterChainProxy. Using IS_AUTHENTICATED_ANONYMOUSLY should work, unless you have anonymous support disabled.

      It should be obvious from the debug log why you are being redirected to the entry point.


      • #4

        Is this documented somewhere ?

        For me it was bit unexpected that I can't turn off filters on /**, since its a pattern like all the others.
        Could you point me to documentation on that if there is any ?
        Last edited by ayld; Jun 3rd, 2011, 02:47 AM. Reason: typo


        • #5
          It is a bit confusing since filters="none" applies to the FilterChainProxy configuration whereas the remaining configuration options configure the FilterSecurityInterceptor in the default filter chain. The "filters" attribute is no longer supported in 3.1 since you can have multiple filter chains applying to different request patterns. So in 3.1 you can have an empty filter chain for "/**", even though it wouldn't be advised (since you should generally adopt a deny-by-default approach to securing your app).