Announcement Announcement Module
Collapse
No announcement yet.
Problem with intercept-patterns and REST Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Problem with intercept-patterns and REST

    Hi,

    I have a problem with users being able to access pages that they shouldn't

    Example mapping that should only be accessed by editors:
    PHP Code:
    @Controller
    @RequestMapping("/*/??_??/account/{groupType}")
    public class 
    GroupController{

        @
    RequestMapping(method RequestMethod.GETvalue "/add")
            public 
    String addGroup(
                    
    ModelMap model,
                    
    NativeWebRequest request){
    [...] 
    in case groupType equals "page" only an editor can access this page. When it's "other", all users can access it.

    PHP Code:
    <http use-expressions="true" entry-point-ref="myAuthenticationProcessingFilterEntryPoint" >
        <
    intercept-url pattern="/*/*/account/page/add/" access="hasRole('ROLE_EDITOR')" />
        <
    intercept-url pattern="/*/*/account/**" access="isAuthenticated()" />
        [...] 
    (in my case myAuthenticationProcessingFilterEntryPoint extends LoginUrlAuthenticationEntryPoint

    I have a few examples here with 3 urls that should all be denied access.

    urls
    * /xyz/NL_nl/account/page/add/ => access denied to non-editors OK
    * /xyz/NL_nl/account/page/add => access approved to non-editors FAIL
    * /xyz/NL_nl/account/page/add.html => access approved to non-editors FAIL

    PHP Code:
    <http use-expressions="true" entry-point-ref="myAuthenticationProcessingFilterEntryPoint" >
        <
    intercept-url pattern="/*/*/account/page/add*" access="hasRole('ROLE_EDITOR')" />
        <
    intercept-url pattern="/*/*/account/**" access="isAuthenticated()" />
        [...] 
    urls
    * /xyz/NL_nl/account/page/add/ => access approved to non-editors FAIL
    * /xyz/NL_nl/account/page/add => access denied to non-editors OK
    * /xyz/NL_nl/account/page/add.html => access denied to non-editors OK

    PHP Code:
    <http use-expressions="true" entry-point-ref="myAuthenticationProcessingFilterEntryPoint" >
        <
    intercept-url pattern="/*/*/account/page/add**" access="hasRole('ROLE_EDITOR')" />
        <
    intercept-url pattern="/*/*/account/**" access="isAuthenticated()" />
        [...] 
    urls
    * /xyz/NL_nl/account/page/add/ => access approved to non-editors FAIL
    * /xyz/NL_nl/account/page/add => access denied to non-editors OK
    * /xyz/NL_nl/account/page/add.html => access denied to non-editors OK


    I have two questions:
    * How can I implement the pattern in such a way that all 3 url options deny access.
    * why doesn't spring security handle the issue of trailing slash/*.html by default? It seems very easy to make a dangerous mistake here. Spring automatically processes *.html extension and your webserver may automatically add a trailing slash, or not.

  • #2
    Spring Security only does what you tell it to do and nothing more. It does not make assumptions about your underlying stack (i.e. just because Spring MVC allows different extensions doesn't matter since you might be using Spring Security with another framework). In general, * means anything within this folder and ** means any number of folders. You can learn more and see some examples on the Spring Security Fundamentals presentation around 24 min in.

    In short, I believe you are looking for /*/*/account/page/add*/**. You can also declare multiple intercept-url elements to match on each of your patterns individually.

    Comment


    • #3
      Thanks that did the trick.

      Comment

      Working...
      X