Announcement Announcement Module
Collapse
No announcement yet.
Get is not authorized for url only protected for post Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Get is not authorized for url only protected for post

    In our application almost all the pages can be access with GET method by anyone. However, if you want to submit a comment or something, you must login.

    Everything works fine with Spring security except the next scenario:
    - user gets page which is only protected for post method (like /imageFull/content/2/)
    - user tries to submit a comment to this page
    - the login page comes up
    - user doesn't want to login, so navigates to a different page (/imageFull/content/1/)
    - later on user wants to see the same page again (/imageFull/content/2/)
    - the login page comes up again for the get method, so user can not access the page even with get method

    I'm not sure if our configuration is wrong or there is a bug in Spring security.

    Can someone look into it?

    I've solved this strange behavior with a filter before the Spring security filter comes in. It removes the SPRING_SECURITY_SAVED_REQUEST_KEY from session, if the same uri is accessed and the current method is GET.

    web.xml
    Code:
    ...
     <filter-mapping>
      <filter-name>encodingFilter</filter-name>
      <url-pattern>/*</url-pattern>
     </filter-mapping>
    
     <filter>
      <filter-name>kikoSecurityFilter</filter-name>
      <filter-class>com.kiko.store.filters.KikoSecurityFilter</filter-class>
     </filter>
    
     <filter-mapping>
      <filter-name>kikoSecurityFilter</filter-name>
      <url-pattern>/*</url-pattern>
     </filter-mapping>
    
     <!-- FilterChain proxy for security -->
     <filter>
      <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
     </filter>
    ...
    security-config.xml
    Code:
    <security:http access-denied-page="/login.html?access_denied=true" path-type="regex">
     <security:form-login login-processing-url="/login" login-page="/login/" authentication-failure-url="/login/?login_error=true"/>
     <security:anonymous username="anonymous"/>
     <security:http-basic/>
     <security:logout logout-url="/logout"/>
     <security:remember-me />
     <security:concurrent-session-control max-sessions="1" expired-url="/login.html?concurrent_session=true"/>
     <security:intercept-url pattern="/registration.*" method="POST" access="ROLE_ANONYMOUS" />
     <security:intercept-url pattern="/forgotPassword.*" method="POST" access="ROLE_ANONYMOUS" />
     <security:intercept-url pattern="/changePassword/\?.*" method="POST" access="ROLE_ANONYMOUS" />
     <security:intercept-url pattern="/changePassword/" method="POST" access="ROLE_ADMIN,ROLE_MEMBER" />
     <security:intercept-url pattern="/contactUs/" method="POST" access="ROLE_ADMIN,ROLE_MEMBER,ROLE_ANONYMOUS" />
     <security:intercept-url pattern="/images/" method="POST" access="ROLE_ADMIN,ROLE_MEMBER,ROLE_ANONYMOUS" />
     <security:intercept-url pattern="/videos/" method="POST" access="ROLE_ADMIN,ROLE_MEMBER,ROLE_ANONYMOUS" />
     <security:intercept-url pattern="/.*" method="POST" access="ROLE_ADMIN,ROLE_MEMBER" />
     <security:intercept-url pattern="/profile.*" method="GET" access="ROLE_ADMIN,ROLE_MEMBER" />
     <security:intercept-url pattern="/imageWrite.*" method="GET" access="ROLE_ADMIN,ROLE_MEMBER" />
     <security:intercept-url pattern="/mail.*" method="GET" access="ROLE_ADMIN,ROLE_MEMBER" />
     <security:intercept-url pattern="/.*vote=.*" method="GET" access="ROLE_ADMIN,ROLE_MEMBER" />
     <security:intercept-url pattern="/.*" method="GET" access="ROLE_ADMIN,ROLE_MEMBER,ROLE_ANONYMOUS" />
    </security:http>
    Additional filter for removing the SPRING_SECURITY_SAVED_REQUEST_KEY in the above scenario
    Code:
    /**
     * Kiko security filter. It removes the spring's security request key, when a user tried to post for a protected
     * page and refused to login but later on he wants to get the same page again without post.
     */
    public class KikoSecurityFilter implements Filter {
     private static Logger logger = LoggerFactory.getLogger(KikoSecurityFilter.class);
    
     @Override
     public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
      if (request instanceof HttpServletRequest) {
    
      HttpServletRequest httpRequest = (HttpServletRequest)request;
      HttpSession session = httpRequest.getSession(false);
      if (null != session) {
       SavedRequest savedRequest = (SavedRequest)session.getAttribute(AbstractProcessingFilter.SPRING_SECURITY_SAVED_REQUEST_KEY);
        if (null != savedRequest) {
         String secMethod = savedRequest.getMethod();
         if ("POST".equals(secMethod)) {
          String secUri = savedRequest.getRequestURI();
          if ( ("GET".equals(httpRequest.getMethod()) && (httpRequest.getRequestURI().equals(secUri))) ) {
           String username = (String)session.getAttribute(AuthenticationProcessingFilter.SPRING_SECURITY_LAST_USERNAME_KEY);
           if (null == username) {
            logger.warn("Spring security is overwritten, uri:"+secUri+", method:"+secMethod);
            session.removeAttribute(AbstractProcessingFilter.SPRING_SECURITY_SAVED_REQUEST_KEY);
           }
          }
         }
        }
       }
      }
    
      chain.doFilter(request , response);
     }
    
     @Override
     public void init(FilterConfig filterConfig) throws ServletException {
     }
    
     @Override
     public void destroy() {
     }
    }
    Last edited by ferengra; May 18th, 2009, 08:46 AM.
Working...
X