Spring-security cannot match "?parameter" format?

spring spring-security spring-roo
10,604

Solution 1

By default spring security uses ant style matching, which can't match on parameters. Regex matching, however, can match on parameters

Try defining it like so:

<http request-matcher="regex">
  <security:intercept-url pattern="\A/userses\?form.*\Z" access="hasRole('ROLE_ADMIN')" />
</http>

Don't know why Roo doesn't do this automatically. Seems like it should.

Solution 2

That behavior is defined by the "request-matcher" in use. As indicated by the documentation, the default is "ant", which indicates to use an AntPathRequestMatcher, and an alternative is "regex", the RegexRequestMatcher. The javadocs (linked) give specifics about the matchers, including the fact that the former matches against a request's "servletPath + pathInfo", and the latter against its "servletPath + pathInfo + queryString".

Share:
10,604
JerryCai
Author by

JerryCai

Updated on June 16, 2022

Comments

  • JerryCai
    JerryCai almost 2 years

    I use spring-security to secure my web, when I'm learning it by spring-roo generated config file in applicationContext-security.xml, in <http> node:

     <intercept-url pattern="/userses?form" access="hasRole('ROLE_ADMIN')" />

    It means when you want to create a Users object, firstly you need to login to get ADMIN permission. But actually it didn't work. Check the log:

    2012-05-06 11:39:11,250 [http-8088-7] DEBUG org.springframework.security.web.util.AntPathRequestMatcher - Checking match of request : '/userses'; against '/userses?form'

    The framework use the /userses instead of /userses?form to compare with, authentication process skipped as string didn't match. To verify this I also try another url:

    <intercept-url pattern="/userses/abc" access="hasRole('ROLE_ADMIN')" />

    I requested the /userses/abc, it detected user is not authorized, and moved to /login page, checked the log:

    2012-05-06 11:46:44,343 [http-8088-7] DEBUG org.springframework.security.web.util.AntPathRequestMatcher - Checking match of request : '/uesrses/abc'; against '/userses/abc'

    So my question is: Doesn't spring-secure 3 support "?parameter" pattern or I missed something to config to support this? PS: All the code is generated by roo without modification, also wonder why it doesn't work.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

LDAP authentication failed:data 52e
Spring security authrorize based on input parameter criteria
Extract Currently Logged in User information from JWT token using Spring Security
Cannot get rid of "An Authentication object was not found in the SecurityContext" in a Spring Boot application without @WithMockUser
Connect multiple authentication mechanisms Spring Boot Security
Configure Spring security for Ldap connection
spring security redirect based on role
Custom WebSecurityConfigurerAdapter
Java Spring Security - User.withDefaultPasswordEncoder() is deprecated?
How does Spring Oauth2 login redirect work?