spring security is not filtering access to resources based on roles

Question

i am using spring security 3.1.4. for some reason, access to resources is not being filtered correctly. my security xml file looks like the following.

<http auto-config="true">
 <intercept-url pattern="/**" access="ROLE_USER"/>
 <intercept-url pattern="/admin/**" access="ROLE_ADMIN"/>
 ...
</http>

as you can see, what i want to express with this configuration is that a USER can access any resource unless they are accessing resources mapped to /admin/something.

when i log in as a user with ROLE_USER only (verified in the database, as i am using the jdbc-user-service), i can still point my browser to

/myapp/admin/default

and see all the contents.

i then change my security xml to look like the following.

<http auto-config="true">
 <intercept-url pattern="/**" access="ROLE_ADMIN"/>
 <intercept-url pattern="/admin/**" access="ROLE_ADMIN"/>
 ...
</http>

when i log in as a user with ROLE_USER, then i get a HTTP 403 Access is denied.

my questions are

1. how come /admin/** (ROLE_ADMIN) does not override /** (ROLE_USER) ?
2. which filter (or where in the code precisely) does the actual check of roles and resources? i took a look at FilterSecurityInterceptor but the code seems to just be passing objects around.
3. how do i fix this problem? do i have to define /user/** for ROLE_USER and /admin/** for ROLE_ADMIN ? it looks like that's a possible solution.

any help is appreciated.

Answer 1

Try putting the admin pattern before the more general /** pattern. From the docs ( http://docs.spring.io/spring-security/site/docs/3.0.x/reference/core-web-filters.html ) the most specific patterns need to be declared higher in the list of patterns.

<http auto-config="true">
    <intercept-url pattern="/admin/**" access="ROLE_ADMIN"/>
    <intercept-url pattern="/**" access="ROLE_USER"/>   
 ...
</http>