Announcement Announcement Module
No announcement yet.
How to deal with /static resources and security Page Title Module
Move Remove Collapse
This topic is closed
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • How to deal with /static resources and security


    I've got a design problem with spring security.
    I'm building a web application with two areas, one public and one secured. Moreover, i've set up <session-management /> for the secured area to track session timeouts.

    Static resources are intercepted with access="permitAll" because security won't work if the
    /static/j_spring_security_* resources don't go through the security filter chain (am I wrong?).

    The public area URL are intercepted with filters="none".
    When when a static resource is requested from the public area, a new session is created!

    Do you have any advice on how to deal with static resources involved in the security process and those which are not ?


    With spring-security-3.0.2
        <http auto-config="true" use-expressions="true" path-type="regex">
        	<form-login login-processing-url="/static/j_spring_security_check" 
        		login-page="/login" authentication-failure-url="/login?login_error=t"
           <logout logout-url="/static/j_spring_security_logout" invalidate-session="true" logout-success-url="/login?logout_ok=t" />
           <session-management invalid-session-url="/login?session_timeout=t" session-fixation-protection="none"/>
            <intercept-url pattern="/admin/.*" access="hasRole('ROLE_ADMIN')"/><!-- restricted area -->
            <intercept-url pattern="/after-login/.*" access="isAuthenticated()"/>
            <intercept-url pattern="/resources/.*" access="permitAll" />
            <intercept-url pattern="/static/.*" access="permitAll" />
            <intercept-url pattern="/login[^/].*$" filters="none"/>
            <intercept-url pattern="/[^\\p{Digit}]+/.*" filters="none" /><!-- public area -->
            <intercept-url pattern="/.*" filters="none" />

  • #2
    I don't understand the question. Can you expand on what you mean by "static resources involved in the security process" ? Static resources are static resource and requests for them shouldn't have any effect on Spring Security.

    Also, if a session is being created unnecessarily you should work out where that is happening.