Geek Answers Handbook

Order of url-intercept patterns in Spring Security

In appSecurity.xml, I have the following:

intercept-url pattern = "/ users / profile / **" access = "hasRole ('VIEW_PROFILES')".

intercept-url pattern = "/ users / profile / edit / **" access = "hasRole ('EDIT_PROFILES')"

I have a page / users / profiles / edit / addnew, and when a user with the VIEW_PROFILES role tries to access this page, he gets it successfully, but access to the user with the EDIT_PROFILES role is blocked.

What am I doing wrong?

+4
source share
3 answers

Since "/users/profile/edit/" more specific than "/users/profile/" , it should be placed higher in the list.

Why

Templates are always evaluated in the order in which they are defined. Thus, it is important that more specific patterns are defined higher in the list than less specific patterns. This is reflected in our example above, where a more specific / secure / super / pattern looks higher than a less specific / secure / pattern. If they were canceled, the / secure / pattern will always match, and / secure / super / pattern will never be evaluated.

Source: Basic Security Filters

+9
source

And John Farrelli and Rites are true. The intercept-url patterns are mapped in that order. As soon as a match is found, the remaining specified patterns are ignored. This is why you should list more specific patterns earlier.

In your case, the pattern / users / profile / edit / somepage matches the pattern specified in the first intercept-url pattern, so Spring correctly checks to see if the user role has the access role. Apparently your EDIT_PROFILES users do not have VIEW_PROFILES authority, so they are denied access. Similarly, your intention to restrict access to. / Edit / users with EDIT_PROFILES privileges is undermined by an earlier expression that grants access to users with VIEW_PROFILES privileges.

Switch the order to an easy fix, and you probably want to grant the user EDIT_PROFILES the VIEW_PROFILES authority (in addition to the EDIT_PROFILES authority). Then consider using access="hasAnyRole('REQUIRED_ROLE')" rather than access="hasRole('REQUIRED_ROLE')" to simplify access instructions.

+2
source

Verify that the EDIT_PROFILES rule is higher than the VIEW_PROFILES rule. If you look at the expression for VIEW_PROFILES, you will see that it includes all the URLs that will match EDIT_PROFILES. This means that if the VIEW_PROFILES rule is the first, spring security will never bother trying the EDIT_PROFILES rule.

+1
source

More articles:


All Articles