• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Spring security intercept-url question

 
Ranch Hand
Posts: 254
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi All,

I am using Spring Security and have configured below in the configuration file



The problem is that a.jsp is called using forward and not using redirect. Hence although the user does not have access to this page , he is able to access it.

Does it mean that interceptor works only with redirect?
 
ranger
Posts: 17347
11
Mac IntelliJ IDE Spring
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
No, this is a common mistake. The url in the xml is the URL, not the view resource. You put in .jsp which tells me you have a jsp page that is the view. It does not say what the incoming url that is coming in will be.

So I have a url coming in like

www.myapp.com/orders/findOrder.htm but after it runs my code it will return a view, the view could be displayOrders.jsp

So instead of using /displayOrders.jsp in the intercept-url, I am not securing that particular view page file, I am securing the incoming URL of findOrder.htm

Hope that helps clear things up

Mark
 
Joshua Antony
Ranch Hand
Posts: 254
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thanks Mark,

In our application while navigating from one page to another we are using forward and not redirect.

Hence the URL does not change in the browser.

Is there any workaround for this case
 
Mark Spritzler
ranger
Posts: 17347
11
Mac IntelliJ IDE Spring
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by Joshua Antony:
Thanks Mark,

In our application while navigating from one page to another we are using forward and not redirect.

Hence the URL does not change in the browser.

Is there any workaround for this case



OK, let me try to rephrase. The string in the intercept-url, is a view string only, in which a Spring viewResolver will use to get the real view page. the intercept-url, is not a real URL. It all depends on which view resolver you are using.

So give me an example of a Controller you have, in which you return a view String that works correctly for you.

Mark
 
Joshua Antony
Ranch Hand
Posts: 254
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi Mark,

We are not using Spring MVC, we are using JSF.

In action methods we return string that maps to an entry in faces-config.xml
I have not configured <redirect/> in the faces-config file.

I also tried using the returned string as the intercept-url in the security xml, but it did not work.
 
Joshua Antony
Ranch Hand
Posts: 254
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
http://forum.springframework.org/archive/index.php/t-11025.html

Regards,
Joshua
 
Joshua Antony
Ranch Hand
Posts: 254
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I have already configured the filter as below




Inspite of this, FilterSecurityInterceptor is not invoked during Forward. What may be the reason?
 
Joshua Antony
Ranch Hand
Posts: 254
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
On Further investigation , I found that FilterSecurityInterceptor is getting called during Forward also but the field observeOncePerRequest is true and hence authentication is not being done.

How can I reset this variable?
 
Joshua Antony
Ranch Hand
Posts: 254
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
After googling and investigating little bit of spring source , I found the fix.

There was a fix made on HttpSecurityBeanDefinitionParser.java. In order to set observeOncePerRequest as false we need to set once-per-request="false" in the http element as shown below

<http auto-config="true" realm="Contacts Realm" once-per-request="false">

Since checking is done as

in the HttpSecurityBeanDefinitionParser.java
 
Mark Spritzler
ranger
Posts: 17347
11
Mac IntelliJ IDE Spring
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thanks for posting the resolution.

Mark
 
Story like this gets better after being told a few times. Or maybe it's just a tiny ad:
a bit of art, as a gift, that will fit in a stocking
https://gardener-gift.com
reply
    Bookmark Topic Watch Topic
  • New Topic