Announcement Announcement Module
Collapse
No announcement yet.
securing a simple web site Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • securing a simple web site

    I am working on a basic web site that will have three security layers, public, data entry, admin. For starters I will simply have three controller and three folders under the views:

    WEB-INF\views\admin
    WEB-INF\views\dataEntry
    WEB-INF\views\public

    The catch is that when folks browse to the web root of the web site, simply /, they get WEB-INF\views\public\index.jsp. The problem I have is that security is not blocking users that are not logged in from getting into the admin or dataEntry folders. Here is my security.xml file:

    Code:
    <?xml version="1.0" encoding="UTF-8"?>
    <beans:beans xmlns="http://www.springframework.org/schema/security"
        xmlns:beans="http://www.springframework.org/schema/beans"
    	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"	
    	xsi:schemaLocation="
    	    http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
    		http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd
    		">
    
    	<http auto-config="true" use-expressions="true">
    	
    		<intercept-url pattern="/admin/**" access="ROLE_ADMIN" />
    		<intercept-url pattern="/dataEntry/**" access="ROLE_PLAYER" />
    		<intercept-url pattern='/public/**' access='permitAll' />
    
    		<form-login login-page="/login" default-target-url="/" authentication-failure-url="/loginfailed" />
    		
    		<logout logout-success-url="/logout" />
    						
    	</http>
     
    	<authentication-manager>
    	   <authentication-provider>
    		<jdbc-user-service data-source-ref="dataSource"
     
    		   users-by-username-query="
    		      select username, password, enabled 
    		      from user where username=?" 
     
    		   authorities-by-username-query="
    		      select u.username, ur.authority from user u, user_role ur 
    		      where u.user_id = ur.user_id and u.username = ?" 
     
    		/>
    	   </authentication-provider>
    	</authentication-manager>
    
    </beans:beans>
    How do I configure the site to block access to the sections correctly?

  • #2
    Security is based on the URL that is requested to access the site, not the view's location. So you need to express your security in regards to the requested URL (i.e. the URL in the browser) rather than the view. As an outsider without knowing your URL mappings, this is difficult to answer.

    Since the configuration specifies use-expressions="true" you will want to ensure to use access="hasRole('ROLE_ADMIN')" instead of access="ROLE_ADMIN" (similar changes should be made for ROLE_PLAYER).

    Comment

    Working...
    X