春季安全。 删除一个拦截URL后不会重定向到登录页面

Question

I have the following spring-security configuration:

<http auto-config="true" pattern="/admin/**" authentication-manager-ref="adminAuthenticationManager">
        <form-login login-page="/loginAdmin" login-processing-url="/admin/j_spring_security_check_admin"
                    default-target-url="/admin"
                    authentication-failure-url="/loginAdminFailed"
                    authentication-success-handler-ref="authAdminSuccessHandler"/>

        <intercept-url pattern="/admin/**"
                       access="ROLE_SUPERADMIN, ROLE_TERMINAL_MODERATOR, ROLE_IMAGE_MODERATOR, ROLE_CAMPAIGN_MODERATOR, ROLE_FINANSIER, ROLE_MODERATOR"/>


        <logout logout-url="/logout" logout-success-url="/loginAdmin"/>
        <port-mappings>
            <port-mapping http="${http.port}" https="${https.port}"/>
        </port-mappings>
    </http>

Now when I anonymous and attempt to go to the http://localhost:8080/admin
It redirects me to the http://localhost:8080/loginAdmin

In debug I see that following controller method:

@RequestMapping(value = "/admin", method = RequestMethod.GET)
    public String index(Principal principal, HttpSession session) {
        session.setAttribute("userName", principal.getName());
        return "admin/index";
}

doesn't invoke.

when I removed

<intercept-url pattern="/admin/**"
                       access="ROLE_SUPERADMIN, ROLE_TERMINAL_MODERATOR, ROLE_IMAGE_MODERATOR, ROLE_CAMPAIGN_MODERATOR, ROLE_FINANSIER, ROLE_MODERATOR"/>

from configuration I see the following situation: I type http://localhost:8080/admin - program execution goes to the controller method and I see NullPointer exception. Expected result - redirect to http://localhost:8080/loginAdmin

Can you explain what happens ?
why does my small changes has this side effect ?

Answer 1

Usually there is a concept called session validation for authentication. By default the web server will create unique session id in the cookie name JSESSIONID and append it in the HttpResponse and stores in the client browsers memory. If a user login to a web application the web server should invalidate the current session id from the login page(/loginadmin as in the above code) and it should create a new session id and appends in the browser's cookie name JSESSIONID based on every request sent from the client browser the web application should check whether the session is not new for the authenticated user and then it allows to execute the code inside the controller function.

After logged out the session id should be invalidated and again assign a new unique session ID. This technique is followed to prevent session hijacking attack . So when the logged out user or any anonymous user trying to navigate to any url in the middle without authentication the server should validate if that is valid session then allows to execute the function further otherwise redirect to login page url.

So in spring security you need not to implement these security related functionalities. It has this session validation functionality and some additional functionalities. You just mention the url of the pages and their user role, it will handle it.

Before working in web framework like spring, struts, JSF, etc. you should know the java Servlets completely. This link may be useful http://www.journaldev.com/1907/java-servlet-session-management-tutorial-with-examples-of-cookies-httpsession-and-url-rewriting