This week's book giveaway is in the Clojure forum.
We're giving away four copies of Clojure in Action and have Amit Rathore and Francis Avila on-line!
See this thread for details.
Win a copy of Clojure in Action this week in the Clojure forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Authenication based on params in url using Spring Security

 
kuldeep sidhu
Ranch Hand
Posts: 34
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi All,
I want to implement the following authentication in my application.

1. All the pages having /users/** can be accessed by User or Admin.
2. The page /user?new is a register page. It should be only accessible to non-logged in users.
where new is parameter.
In controller i have RequestMapping for this url.

I tried the following, it is not working

 
Bill Gorder
Bartender
Posts: 1682
7
Android IntelliJ IDE Linux Mac OS X Spring
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
The Ant style pattern matcher that is used by default is not going to pay any attention to your parameter. The correct way to do this would be to create another <http> element before that one that defines a request-matcher-ref attribute referencing your own custom RequestMatcher. I would name this class ParamMatcher or some such thing. This matcher would inspect the parameter and return true if it matched.

Note that in your case since you have other rules in another <http> block protecting things, and this rule is allowing everyone access, you are probably OK, but as a general rule of thumb matching on parameters is not secure, as its easy to reorder parameters or add patterns to bypass security altogether, so be careful when doing this sort of thing. In general it would be better to create a new path rather than having a parameter.

 
I agree. Here's the link: http://aspose.com/file-tools
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic