Announcement Announcement Module
No announcement yet.
404 (Not Found) for URL not listed as intercept-url. Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • 404 (Not Found) for URL not listed as intercept-url.


    Currently, I've listed all known, valid URL's in the application with a

    <security:intercept-url pattern="..." access="..."/>

    At the end of the enumeration I've got a

    <!-- Deny access for all other URL's. -->
    <security:intercept-url pattern="/**" access="denyAll"/>

    to deny access to all other URL's.

    If a user requests a page / URL that is not known, he's redirected to the login page.

    What is the best way to return a 404 (Not Found) instead of redirecting to login page if the URL is not mentioned in the list of intercepted URL's? Does Spring Security provide an expression to send back / redirect to a 404 page if the resource does not exist (in the sense of not being listed as a intercepted URL)?

    Cheers, Felix

  • #2
    The Spring Security filter is hit before any "resources" in your application. As such it's unaware whether any urls will render at all once it passes the filter.

    What you could do is to explicitly define every url in your application - and then remove the last part of your filter chain that denies all other urls. But doing so is a bad practice in that it's prone to human error (somebody will forget to update spring security when adding a new page).

    Also - ignoring Spring Security for the moment - what you're trying to do is generally considered a bad practice. At a minimum - it gives a potential attacker information as to what urls don't (or do) exist in your application. But it could also expose security issues associated with your underlying web application to unauthenticated users.