Announcement Announcement Module
Collapse
No announcement yet.
intercept-url is not intercepting URL Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • intercept-url is not intercepting URL

    Hi All,

    I am trying to add Spring security to my Struts2 based application and for some areas its working fine but it seems like for some its not working at all.this is a snap-shop of my spring-security.xml file

    Code:
    <http auto-config="false" entry-point-ref="preAuthenticatedProcessingFilterEntryPoint">
    <intercept-url pattern="/bd/account/get-user-by-id" access="ROLE_ADMIN,ROLE_USER" />
    <access-denied-handler error-page="/login?simple=true"/>
    <custom-filter ref="preAuthFilter" position="PRE_AUTH_FILTER" />
    </http>
    i have defined fre more such interceptor patterns in my xml file. In the above code
    Code:
    <access-denied-handler error-page="/login?simple=true"/>
    /login is Struts2 action and my expectation is as follow from this

    1. If non-logged in user click on the above link Spring-security should send it to access-denied handler.
    2 Access denied handler is a Struts2 action and it should get called which should simply show login page to the user.

    above login action of Struts2 is working fine in normal condition but it seems that Spring security is not intercepting this URL at all or not calling the Struts2 action.
    i have configured my Struts2 filter to even handle FORWARD request as follow

    Code:
     <filter-mapping>
            
              <filter-name>action2</filter-name>
              <url-pattern>/*</url-pattern>
              <dispatcher>REQUEST</dispatcher>    
             <dispatcher>FORWARD</dispatcher>
             <dispatcher>INCLUDE</dispatcher>
             <dispatcher>ERROR</dispatcher>
        </filter-mapping>
    i am not sure where i am doing wrong in this.

  • #2
    Which link are you speaking of of when you say you click on it? Is /bd the context root (you should not include the context root in the intercept-url patterns)? What does your preAuthFilter look like? What does preAuthenticatedProcessingFilterEntryPoint look like? The denied entry point would only happen if the user is already authenticated and is not allowed access (i.e. the user is ROLE_USER and the URL requires ROLE_ADMIN). If the user is not authenticated the AuthenticationEntryPoint is used (i.e. entry-point-ref). If none of this helps, you might try turning on debug logging to see what is happening.

    Comment


    • #3
      Also make sure the filter-mapping of the security chain comes BEFORE the struts filter else it will not be called (the order in which filters are executed is the order in which the filter-mapping appears, if struts runs before spring-security it basically does nothing).

      Comment

      Working...
      X