Rewrite spring security redirect URLs

Question

Rewrite spring security redirect URLs

I am trying to get Tuckey UrlRewriteFilter to clean up the urls for my webapp. One of the problems is that when spring-security notes that an anonymous user is trying to access a protected resource, it redirects a URL that includes the servlet path.

What I want, for example:

> GET http://localhost:8080/my-context/protected-resource < Location: http://localhost:8080/my-context/login

I am currently getting:

 > GET http://localhost:8080/my-context/protected-resource < Location: http://localhost:8080/my-context/-/login

Relevant documents I have found so far:

DefaultRedirectStrategy, which does the actual redirect: http://static.springsource.org/spring-security/site/docs/3.0.x/apidocs/org/springframework/security/web/DefaultRedirectStrategy.html . This one has a contextRelative property that is tempting, but I don't think it will cut it, even if I can find a way to configure it.

Blog post that helped me so far: http://nonrepeatable.blogspot.com/2009/11/using-spring-security-with-tuckey.html

What I would like to know:

Can / should I convince Tuckey to rewrite the Location header. <outgoing rule> seems to help nothing.
You can / need to somehow configure the SS configuration to fix the rewritten URL. I do not think this is pretty accurate, as it will break if the rewrite is disabled.

web.xml looks like

 <filter> <filter-name>UrlRewriteFilter</filter-name> <filter-class>org.tuckey.web.filters.urlrewrite.UrlRewriteFilter</filter-class> <init-param> <param-name>LogLevel</param-name> <param-value>log4j</param-value> </init-param> </filter> <filter-mapping> <filter-name>UrlRewriteFilter</filter-name> <url-pattern>/*</url-pattern> <dispatcher>REQUEST</dispatcher> </filter-mapping> <filter> <filter-name>springSecurityFilterChain</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> </filter> <filter-mapping> <filter-name>springSecurityFilterChain</filter-name> <url-pattern>/*</url-pattern> <dispatcher>REQUEST</dispatcher> <dispatcher>FORWARD</dispatcher> <dispatcher>INCLUDE</dispatcher> <dispatcher>ERROR</dispatcher> </filter-mapping> <servlet> <servlet-name>my-servlet</servlet-name> <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class> <load-on-startup>1</load-on-startup> </servlet> <servlet-mapping> <servlet-name>psms</servlet-name> <url-pattern>/-/*</url-pattern> </servlet-mapping>

urlrewrite.xml as follows:

 <urlrewrite> <rule> <from>^/(.*)$</from> <to>/-/$1</to> </rule> </urlrewrite>

applicationContent-security.xml as follows:

 <http auto-config="true"> <!-- allow GET requests to /login without authentication --> <intercept-url pattern="/-/login" method="GET" filters="none"/> <intercept-url pattern="/-/admin/**" access="ROLE_ADMIN"/> <intercept-url pattern="/-/**" access="ROLE_USER"/> <form-login login-page="/-/login" login-processing-url="/-/login.do" authentication-failure-url="/-/login?login_error" default-target-url="/-/index" always-use-default-target="true"/> <logout logout-url="/-/logout" logout-success-url="/-/login"/> <access-denied-handler error-page="/-/access-denied"/> </http>

+6

java spring-mvc spring-security url-rewriting tuckey-urlrewrite-filter

ptomli Nov 19 '09 at 10:50

source share

4 answers

Pat niemeyer · Answer 1 · 2009-12-15T01:14:19+0000

I studied this question for our project last year, and at that time the problem was that Tucky did not cooperate with response.encodeRedirectUrl () to rewrite the redirect URLs. I contacted them, but I did not.

My solution was to allow the messy URL to return to the client, but then clear it using the Tucky redirect rule (second redirect).

So, add another rule that matches your ugly URL from security redirects and issue your own redirect to a clean URL:

 <rule> <from>^/whatever/ugly.*$</from> <to type="redirect">/login</to> </rule>

Yes, this is due to two redirects, but the client will never see it ... which is probably the point.

Serxipc · Answer 2 · 2009-12-15T17:29:16+0000

Spring Security redirects with an absolute URL, e.g. http://example.org/-/login

Try using an outgoing rule without the ^ start of string token to match the absolute URL created with spring.

 <outbound-rule> <from>/-/login(.*)$</from> <to>/login$1</to> </outbound-rule>

Bas · Answer 3 · 2010-01-05T20:41:38+0000

I ran into the same problem, but this is similar to Tuckey version 3.2.0. i.e. response.encodeRedirectUrl () is now wrapped by Tuckeys UrlRewriteWrappedResponse, where the outbound rule is executed.

rodrigoap · Answer 4 · 2009-11-19T21:09:52+0000

I have never used Tuckey, but after a quick look at the documentation, I would try to add one rule for login:

 <urlrewrite> <rule> <from>^/my-context/login$</from> <to>/my-context/login</to> </rule> <rule> <from>^/(.*)$</from> <to>/-/$1</to> </rule> </urlrewrite>

EDIT
Ok, and something like this:

 <urlrewrite> <rule> <from>^/-/login$</from> <to>/login</to> </rule> <rule> <from>^/(.*)$</from> <to>/-/$1</to> </rule> </urlrewrite>

Rewrite spring security redirect URLs

More articles: