aspose file tools*
The moose likes Spring and the fly likes Authenication based on params in url using Spring  Security Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Frameworks » Spring
Bookmark "Authenication based on params in url using Spring  Security" Watch "Authenication based on params in url using Spring  Security" New topic
Author

Authenication based on params in url using Spring Security

kuldeep sidhu
Greenhorn

Joined: Jan 07, 2014
Posts: 18
Hi All,
I want to implement the following authentication in my application.

1. All the pages having /users/** can be accessed by User or Admin.
2. The page /user?new is a register page. It should be only accessible to non-logged in users.
where new is parameter.
In controller i have RequestMapping for this url.

I tried the following, it is not working

Bill Gorder
Bartender

Joined: Mar 07, 2010
Posts: 1680
    
    7

The Ant style pattern matcher that is used by default is not going to pay any attention to your parameter. The correct way to do this would be to create another <http> element before that one that defines a request-matcher-ref attribute referencing your own custom RequestMatcher. I would name this class ParamMatcher or some such thing. This matcher would inspect the parameter and return true if it matched.

Note that in your case since you have other rules in another <http> block protecting things, and this rule is allowing everyone access, you are probably OK, but as a general rule of thumb matching on parameters is not secure, as its easy to reorder parameters or add patterns to bypass security altogether, so be careful when doing this sort of thing. In general it would be better to create a new path rather than having a parameter.


[How To Ask Questions][Read before you PM me]
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Authenication based on params in url using Spring Security