Spring mvc and security role based restriction issue
Question
I'm building an application using spring-mvc 3.1.1.RELEASE and Spring-Security, I want that everyone has to be logged on to access it, also I want restrict the access to some user to by role, I edited the spring-security.xml so:
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:sec="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context-3.1.xsd">
<bean id="userDetailsService" class="it.dedagroup.cartesio.security.auth.UserDetailServiceImpl">
<property name="accountService" ref="accountService"></property>
</bean>
<sec:http auto-config="true" use-expressions="true" create-session="always">
<sec:http-basic />
<sec:intercept-url pattern="/login" access="permitAll"/>
<sec:intercept-url pattern="/failedLogin" access="permitAll"/>
<sec:intercept-url pattern="/resources/**" access="permitAll"/>
<sec:intercept-url pattern="/error" access="permitAll"/>
<sec:intercept-url pattern="/accessDenied*" access="isAuthenticated()" />
<sec:intercept-url pattern="/home*" access="isAuthenticated()" />
<sec:intercept-url pattern="/utentiRicerca*" access="hasRole('ROLE_ADMIN')" />
<sec:intercept-url pattern="/userEdit*" access="hasRole('ROLE_ADMIN')" />
<sec:intercept-url pattern="/creaUser*" access="hasRole('ROLE_ADMIN')" />
<sec:intercept-url pattern="/detailsUtente*" access="isAuthenticated()" />
<sec:intercept-url pattern="/modificaAccount*" access="isAuthenticated()" />
<sec:intercept-url pattern="/serverRicerca*" access="hasRole('ROLE_ADMIN')" />
<sec:intercept-url pattern="/editServer*" access="hasRole('ROLE_ADMIN')" />
<sec:intercept-url pattern="/prepareListaSearch*" access="hasRole('ROLE_ADMIN')" />
<sec:intercept-url pattern="/prepareListaEdit*" access="hasRole('ROLE_ADMIN')" />
<sec:intercept-url pattern="/groupInitSearch*" access="hasRole('ROLE_ADMIN')" />
<sec:intercept-url pattern="/groupEdit*" access="hasRole('ROLE_ADMIN')" />
<sec:intercept-url pattern="/listaUpdate*" access="hasRole('ROLE_ADMIN')" />
<sec:intercept-url pattern="/upload*" access="isAuthenticated()" />
<sec:intercept-url pattern="/emailRicerca*" access="hasRole('ROLE_ADMIN')" />
<sec:intercept-url pattern="/prepareEditCasella*" access="hasRole('ROLE_ADMIN')" />
<sec:intercept-url pattern="/acl*" access="hasRole('ROLE_ADMIN')" />
<sec:intercept-url pattern="/initDaemons*" access="hasAnyRole('ROLE_ADMIN','ROLE_SYSTEM')" />
<sec:intercept-url pattern="/mailbox*" access="hasAnyRole('ROLE_OPER','ROLE_USER')" />
<sec:intercept-url pattern="/emailBody*" access="hasAnyRole('ROLE_OPER','ROLE_USER')" />
<sec:intercept-url pattern="/pecBody*" access="hasAnyRole('ROLE_OPER','ROLE_USER')" />
<sec:intercept-url pattern="/composeEmail*" access="hasRole('ROLE_OPER')" />
<sec:form-login login-page="/login"
always-use-default-target="true"
default-target-url="/home"
authentication-failure-url="/failedLogin" />
<sec:logout invalidate-session="true" logout-success-url="/logout" delete-cookies="true" />
<sec:session-management invalid-session-url="/login" session-authentication-error-url="/failedLogin?sessionExpiredDuplicateLogin=true" >
<sec:concurrency-control max-sessions="1" expired-url="/failedLogin" error-if-maximum-exceeded="false" />
</sec:session-management>
</sec:http>
<sec:authentication-manager>
<sec:authentication-provider user-service-ref="userDetailsService">
<sec:password-encoder ref="stdEncoder"></sec:password-encoder>
</sec:authentication-provider>
</sec:authentication-manager>
but if i remove the seurity mapping of the root url, it returns me a page not found error, if I reputit on security in this way:
<sec:intercept-url pattern="/**" access="isAuthenticated()" />
it wraps me all the request after login and ignore the rules I specified for the sub url when I write it directly on browser bar.
For example I need that only the "ROLE_ADMIN" can access to user search at url "/utentiRicerca", but if I log with "ROLE_USER" and I write on browser url " http://myhost.it:8080/myApp/utentiRicerca " it doesn't gave me "http 403" as I deserve with this role. So what I can do for it?
1 answers
solution1
0 2014-11-14 15:21:48
the /** pattern will match any url so there will always be access to all links. If you put it first, the other links won't even be checked, and if you put it last, the other patterns will be checked, but even if they fail, when this is checked, the user will pass the security anyway.
If you want to restrict certain urls, you could try to change your url structure, for example to have any url that is secured for role access under a "secured" url
for example you could use links like the following with a "secured" prefix: :
secured/prepareListaEdit
and have them secured with patterns like this:
<sec:intercept-url pattern="secured/prepareListaEdit/* access="hasRole('ROLE_ADMIN')" />
and then add a pattern that instead of /** uses /* to access other links on your root path
<security:intercept-url pattern="/*" access="isAuthenticated()" />
(because using /** would match all subpaths including "secured")
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.