Announcement Announcement Module
Collapse
No announcement yet.
intercept-url not working when filter='none' Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • intercept-url not working when filter='none'

    Hi,

    I have defined several intercept-url patterns that use filters='none' since I want to
    remove any filters from being applied (example '/test/**'). One of these URL's sub files should be protected, so I defined the URL ('test/protected') and the access control. Since order is important I define the more specific one first, as shown in the example below. However at run time '/test/**' is always matched.

    Code:
    <http auto-config="true">
    		<intercept-url pattern="/images/**" filters="none"/>
    		<intercept-url pattern="/styles/**" filters="none"/>
    		<intercept-url pattern="/resources/**" filters="none"/>
    	    <intercept-url pattern="/test/protected" access="ROLE_USER, ROLE_ADMIN"/>
    	    <intercept-url pattern="/test/**" filters="none"/>
    		<intercept-url pattern="/logged-out" filters="none" />
    		<intercept-url pattern="/" filters="none" />
    		<intercept-url pattern="/manage/**" access="ROLE_USER, ROLE_ADMIN"/>
    		
    		<logout logout-success-url="/logged-out" logout-url="/logout"/>
    	</http>
    I attached a debugger to see what was going on and I looked at the logs.
    URL patterns dealing with access control are handled by FilterSecurityInterceptor/DefaultFilterInvocationSecurityMetadataSource, while those dealing with which filters to use are handled by 'FilterChainProxy'. FilterChainProxy runs first and if the request URL matches any of the patterns with filter='none' then no further processing happens. My URL '/test/protected' would be processed by 'DefaultFilterInvocationSecurityMetadataSource' but FilterChainProxy never passes it down.

    Is this a bug in how the <http> namespace is interpreted? I would expect 'test/protected' to show up in the 'FilterChainProxy' with the same filters as '/**'.

    I am using Spring Security 3.0.5.

    Code:
    2011-07-21 09:39:04,065 DEBUG: org.springframework.security.web.FilterChainProxy - Converted URL to lowercase, from: '/test/protected'; to: '/test/protected'
    2011-07-21 09:39:04,065 DEBUG: org.springframework.security.web.FilterChainProxy - Candidate is: '/test/protected'; pattern is /images/**; matched=false
    2011-07-21 09:39:04,065 DEBUG: org.springframework.security.web.FilterChainProxy - Converted URL to lowercase, from: '/test/protected'; to: '/test/protected'
    2011-07-21 09:39:04,066 DEBUG: org.springframework.security.web.FilterChainProxy - Candidate is: '/test/protected'; pattern is /styles/**; matched=false
    2011-07-21 09:39:04,066 DEBUG: org.springframework.security.web.FilterChainProxy - Converted URL to lowercase, from: '/test/protected'; to: '/test/protected'
    2011-07-21 09:39:04,066 DEBUG: org.springframework.security.web.FilterChainProxy - Candidate is: '/test/protected'; pattern is /resources/**; matched=false
    2011-07-21 09:39:04,066 DEBUG: org.springframework.security.web.FilterChainProxy - Converted URL to lowercase, from: '/test/protected'; to: '/test/protected'
    2011-07-21 09:39:04,066 DEBUG: org.springframework.security.web.FilterChainProxy - Candidate is: '/test/protected'; pattern is /test/**; matched=true
    2011-07-21 09:39:04,066 DEBUG: org.springframework.security.web.FilterChainProxy - /test/protected has an empty filter list

  • #2
    Check out this thread.

    Comment

    Working...
    X