Win a copy of The Java Performance Companion this week in the Performance forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Spring security intercept-url question

 
Joshua Antony
Ranch Hand
Posts: 254
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi All,

I am using Spring Security and have configured below in the configuration file



The problem is that a.jsp is called using forward and not using redirect. Hence although the user does not have access to this page , he is able to access it.

Does it mean that interceptor works only with redirect?
 
Mark Spritzler
ranger
Sheriff
Posts: 17278
6
IntelliJ IDE Mac Spring
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
No, this is a common mistake. The url in the xml is the URL, not the view resource. You put in .jsp which tells me you have a jsp page that is the view. It does not say what the incoming url that is coming in will be.

So I have a url coming in like

www.myapp.com/orders/findOrder.htm but after it runs my code it will return a view, the view could be displayOrders.jsp

So instead of using /displayOrders.jsp in the intercept-url, I am not securing that particular view page file, I am securing the incoming URL of findOrder.htm

Hope that helps clear things up

Mark
 
Joshua Antony
Ranch Hand
Posts: 254
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks Mark,

In our application while navigating from one page to another we are using forward and not redirect.

Hence the URL does not change in the browser.

Is there any workaround for this case
 
Mark Spritzler
ranger
Sheriff
Posts: 17278
6
IntelliJ IDE Mac Spring
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by Joshua Antony:
Thanks Mark,

In our application while navigating from one page to another we are using forward and not redirect.

Hence the URL does not change in the browser.

Is there any workaround for this case


OK, let me try to rephrase. The string in the intercept-url, is a view string only, in which a Spring viewResolver will use to get the real view page. the intercept-url, is not a real URL. It all depends on which view resolver you are using.

So give me an example of a Controller you have, in which you return a view String that works correctly for you.

Mark
 
Joshua Antony
Ranch Hand
Posts: 254
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Mark,

We are not using Spring MVC, we are using JSF.

In action methods we return string that maps to an entry in faces-config.xml
I have not configured <redirect/> in the faces-config file.

I also tried using the returned string as the intercept-url in the security xml, but it did not work.
 
Joshua Antony
Ranch Hand
Posts: 254
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
http://forum.springframework.org/archive/index.php/t-11025.html

Regards,
Joshua
 
Joshua Antony
Ranch Hand
Posts: 254
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I have already configured the filter as below




Inspite of this, FilterSecurityInterceptor is not invoked during Forward. What may be the reason?
 
Joshua Antony
Ranch Hand
Posts: 254
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
On Further investigation , I found that FilterSecurityInterceptor is getting called during Forward also but the field observeOncePerRequest is true and hence authentication is not being done.

How can I reset this variable?
 
Joshua Antony
Ranch Hand
Posts: 254
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
After googling and investigating little bit of spring source , I found the fix.

There was a fix made on HttpSecurityBeanDefinitionParser.java. In order to set observeOncePerRequest as false we need to set once-per-request="false" in the http element as shown below

<http auto-config="true" realm="Contacts Realm" once-per-request="false">

Since checking is done as

in the HttpSecurityBeanDefinitionParser.java
 
Mark Spritzler
ranger
Sheriff
Posts: 17278
6
IntelliJ IDE Mac Spring
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks for posting the resolution.

Mark
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic