File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes Other Application Frameworks and the fly likes Spring security intercept-url question Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of EJB 3 in Action this week in the EJB and other Java EE Technologies forum!
JavaRanch » Java Forums » Frameworks » Other Application Frameworks
Bookmark "Spring security intercept-url question" Watch "Spring security intercept-url question" New topic
Author

Spring security intercept-url question

Joshua Antony
Ranch Hand

Joined: Jun 05, 2006
Posts: 254
Hi All,

I am using Spring Security and have configured below in the configuration file



The problem is that a.jsp is called using forward and not using redirect. Hence although the user does not have access to this page , he is able to access it.

Does it mean that interceptor works only with redirect?


SCJP,SCWCD, Into ATG now!
Mark Spritzler
ranger
Sheriff

Joined: Feb 05, 2001
Posts: 17249
    
    6

No, this is a common mistake. The url in the xml is the URL, not the view resource. You put in .jsp which tells me you have a jsp page that is the view. It does not say what the incoming url that is coming in will be.

So I have a url coming in like

www.myapp.com/orders/findOrder.htm but after it runs my code it will return a view, the view could be displayOrders.jsp

So instead of using /displayOrders.jsp in the intercept-url, I am not securing that particular view page file, I am securing the incoming URL of findOrder.htm

Hope that helps clear things up

Mark


Perfect World Programming, LLC - Two Laptop Bag - Tube Organizer
How to Ask Questions the Smart Way FAQ
Joshua Antony
Ranch Hand

Joined: Jun 05, 2006
Posts: 254
Thanks Mark,

In our application while navigating from one page to another we are using forward and not redirect.

Hence the URL does not change in the browser.

Is there any workaround for this case
Mark Spritzler
ranger
Sheriff

Joined: Feb 05, 2001
Posts: 17249
    
    6

Originally posted by Joshua Antony:
Thanks Mark,

In our application while navigating from one page to another we are using forward and not redirect.

Hence the URL does not change in the browser.

Is there any workaround for this case


OK, let me try to rephrase. The string in the intercept-url, is a view string only, in which a Spring viewResolver will use to get the real view page. the intercept-url, is not a real URL. It all depends on which view resolver you are using.

So give me an example of a Controller you have, in which you return a view String that works correctly for you.

Mark
Joshua Antony
Ranch Hand

Joined: Jun 05, 2006
Posts: 254
Hi Mark,

We are not using Spring MVC, we are using JSF.

In action methods we return string that maps to an entry in faces-config.xml
I have not configured <redirect/> in the faces-config file.

I also tried using the returned string as the intercept-url in the security xml, but it did not work.
Joshua Antony
Ranch Hand

Joined: Jun 05, 2006
Posts: 254
http://forum.springframework.org/archive/index.php/t-11025.html

Regards,
Joshua
Joshua Antony
Ranch Hand

Joined: Jun 05, 2006
Posts: 254
I have already configured the filter as below




Inspite of this, FilterSecurityInterceptor is not invoked during Forward. What may be the reason?
Joshua Antony
Ranch Hand

Joined: Jun 05, 2006
Posts: 254
On Further investigation , I found that FilterSecurityInterceptor is getting called during Forward also but the field observeOncePerRequest is true and hence authentication is not being done.

How can I reset this variable?
Joshua Antony
Ranch Hand

Joined: Jun 05, 2006
Posts: 254
After googling and investigating little bit of spring source , I found the fix.

There was a fix made on HttpSecurityBeanDefinitionParser.java. In order to set observeOncePerRequest as false we need to set once-per-request="false" in the http element as shown below

<http auto-config="true" realm="Contacts Realm" once-per-request="false">

Since checking is done as

in the HttpSecurityBeanDefinitionParser.java
Mark Spritzler
ranger
Sheriff

Joined: Feb 05, 2001
Posts: 17249
    
    6

Thanks for posting the resolution.

Mark
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Spring security intercept-url question
 
Similar Threads
RichFaces + Spring Security -- Problem Load RichFaces
Spring Security different roles and security taglibs
pass the session variable to 2 jsp simultaneously
Spring security : intercept-url not recognizing wildcard
Finding current URI?