Announcement Announcement Module
Collapse
No announcement yet.
why is security NOT stopping access to my flow?? Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • why is security NOT stopping access to my flow??

    Why is security NOT stopping access to my flow??

    Below you will see my index page of my demo. I want to give everyone access to the Spring MVC but I only want to give user "user" access to the Spring-Web-Flow demo. why is this letting everyone into the flow?

    here is my index page:
    Code:
    <html>
    <head>
    	<title>Spring 3.0 MVC Series</title>
    </head>
    <body>
    	<a href="login.jsp">Login</a><p><p>
    	<a href="hello.html">Say Hello (Spring MVC)</a><p>
    	<a href="./helloworld">Say Hello (Spring-Web-Flow)</a>
    </body>
    </html>
    here is my-security-context.xml:
    Code:
    <?xml version="1.0" encoding="UTF-8"?>
    <beans:beans 
        xmlns="http://www.springframework.org/schema/security"
    	xmlns:beans="http://www.springframework.org/schema/beans" 
    	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    	xsi:schemaLocation="http://www.springframework.org/schema/beans
    						http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
    						http://www.springframework.org/schema/security
    						http://www.springframework.org/schema/security/spring-security-3.1.xsd">
    	<http use-expressions="true">
    		<intercept-url pattern='/*' access='permitAll' />
    		<intercept-url pattern="/helloworld**" access="hasRole('ROLE_USER')" />
    				<form-login login-page="/login.jsp"
    			authentication-failure-url="/security/loginfail" 
    			default-target-url="/helloworld" />
    			<logout logout-success-url="/" />
    	</http>
    		<authentication-manager>
    		<authentication-provider>
    			<user-service>
    				<user name="user" password="user" authorities="ROLE_USER" />
    			</user-service>
    
    		</authentication-provider>
    	</authentication-manager>
    </beans:beans>

  • #2
    The path "helloworld" will match your first "permitAll" rule:

    Code:
    <intercept-url pattern='/*' access='permitAll' />
    Since this is the first rule that matches, other rules in your configuration are not tested any more.
    For a quick fix, just switch the rules.

    Comment


    • #3
      thanks koen, it worked... my next step is going to be getting the CAS we have working with Spring MVC project working with Spring Web Flow2 project. I keep everyone updated.

      Comment

      Working...
      X