Announcement Announcement Module
Collapse
No announcement yet.
[intercept-url method attribute] not work with put and delete Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • [intercept-url method attribute] not work with put and delete

    Hi all,

    for first sorry for my english.

    I'm using spring-security 3.1 into a Spring3 web application but I can't intercept URL with PUT or DELETE method.

    I'm using the httpMethodFilter (works fine with controller classes) and placed it before the springSecurityFilterChain in web.xml

    example
    Code:
    <security:intercept-url pattern="/user/*" access="hasAnyRole('ROLE_USER_WRITE')" method="DELETE"/>
    Logged user don't have ROLE_USER_WRITE (only ROLE_USER_READ) but the delete method is not intercepted!!!
    If i change the code with

    Code:
    <security:intercept-url pattern="/user/*" access="hasAnyRole('ROLE_USER_WRITE')" method="POST"/>
    It works fine.

    It seems don't recognize PUT and DELETE verb but only GET and POST.
    I can change my URLs but I prefer to find a RESTful solution.

    Thanks in advance.

  • #2
    Are you using HiddenHttpMethodFilter to emulate DELETE and PUT? If so the filter-mapping needs to be before the springSecurityFilterChain.

    Comment


    • #3
      I noticed that if I set the HttpMethodFilter like this

      <filter>
      <filter-name>httpMethodFilter</filter-name>
      <filter-class>org.springframework.web.filter.HiddenHttpMet hodFilter</filter-class>
      </filter>

      <filter-mapping>
      <filter-name>httpMethodFilter</filter-name>
      <servlet-name>dispatcher</servlet-name>
      </filter-mapping>
      doesn't work!

      Instead:
      <filter>
      <filter-name>httpMethodFilter</filter-name>
      <filter-class>org.springframework.web.filter.HiddenHttpMet hodFilter</filter-class>
      </filter>

      <filter-mapping>
      <filter-name>httpMethodFilter</filter-name>
      <url-pattern>/*</url-pattern>
      </filter-mapping>
      Finally works!

      Is it maybe because the Spring Security Filter works BEFORE che Dispatcher Servlet?

      In the first case the flow I think will be:
      1) Spring security Filter
      2) Http Method Filter
      3) Dispatcher Servlet

      Mapping HttpMethodFilter with "/*" (instead on Dispatcher servlet) and placing BEFORE Spring Security Filter in Web.xml the flow is

      1) Http Method Filter
      2) Spring security Filter
      3) Dispatcher Servlet

      Do you think is right?!

      Comment


      • #4
        Originally posted by Javaspritz View Post
        Do you think is right?!
        Yes. This is what I was recommending in my previous post.

        Comment


        • #5
          Ok, sorry.

          I didn't understand.

          Comment

          Working...
          X