Announcement Announcement Module
Collapse
No announcement yet.
Able To Include Parameters and Values in Security Pattern? Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Able To Include Parameters and Values in Security Pattern?

    Hi,

    I am attempting to use the Spring security pattern to intercept a URL that includes a particular parameter and value. Can someone tell me if what I am attempting is feasible and if so, what am I doing wrong please? Details as follows.

    There are two types of user that can access the same page. However, each user is limited to one request value as shown below.

    <security:intercept-url pattern="/**foo.htm?parameter=value1*" access="ROLE_USER1"/>
    <security:intercept-url pattern="/**foo.htm?parameter=value2*" access="ROLE_USER2"/>

    However, I am finding that the above configuration will not permit ROLE_USER1 to access a page with request:
    ...foo.htm?parameter=value1

    I have tried a couple of variations, but neither of these worked either:

    <security:intercept-url pattern="/**foo.htm\?parameter=value1*" access="ROLE_USER1"/>
    <security:intercept-url pattern="/**foo.htm*parameter=value1*" access="ROLE_USER1"/>

    Should I be able to filter on a parameter value and if so, what is the correct syntax?

    Thank you.

    Regards

    Brett S

  • #2
    Query strings are stripped when using ant paths. You can switch to regular expression matching for more complicated matches.

    Comment


    • #3
      Hi Luke,

      Thanks for your reply. I did as you suggested (after upgrading to version 3.03) and the following worked exactly as required:

      <http auto-config="false" path-type="regex">
      ...
      <intercept-url pattern="/.*foo\.htm\?parameter=value1.*" access="ROLE_USER1"/>
      <intercept-url pattern="/.*foo\.htm\?parameter=value2.*" access="ROLE_USER2"/>
      ...
      </http>


      However, I now have a problem in a JSP where I am attempting to do this:

      <sec:authorize access="hasRole('ROLE_USER1')">
      USER1 stuff here...
      </sec:authorize>

      What happens is my environment throws this error:

      javax.servlet.ServletException: javax.servlet.jsp.JspException: No visible WebSecurityExpressionHandler instance could be found in the application context. There must be at least one in order to support expressions in JSP 'authorize' tags.
      org.apache.jasper.runtime.PageContextImpl.doHandle PageException(PageContextImpl.java:850)

      The documentation states:
      "The expression evaluation will be delegated to the WebSecurityExpressionHandler defined in the application context (you should have web expressions enabled in your <http> namespace configuration to make sure this service is available)."

      However, I have been googling this and can't for the life of me figure out what I should put in the application context. Any suggestions?

      Thank you

      Regards

      Brett S

      Comment


      • #4
        Setup your <http> configuration to use expression-based access attributes.

        Comment


        • #5
          Hey Luke,

          That did the trick!

          I added:
          use-expressions="true" to my <http> markup.

          An unexpected consequence was I had to change the access expressions from:
          access="ROLE_USER1"
          to:
          access="hasRole('ROLE_USER1')"

          So, I ended up with the following markup
          <http auto-config="false" path-type="regex" use-expressions="true">
          ...
          <intercept-url pattern="/.*foo\.htm\?parameter=value1.*" access="hasRole('ROLE_USER1')"/>
          <intercept-url pattern="/.*foo\.htm\?parameter=value2.*" access="hasRole('ROLE_USER2')"/>
          ...
          </http>

          and now this JSP expression works too:
          <sec:authorize access="hasRole('ROLE_USER1')">
          USER1 stuff here...
          </sec:authorize>

          Thanks again Luke. No I can get some sleep.

          Regards

          Brett S

          Comment

          Working...
          X