<security:intercept-url pattern="/person/**"
access="isAuthenticated()" />
<security:intercept-url pattern="/person?reg"
access="isAnonymous()" />
I want for filter to intercept all of the requests that are /person/blabla etc.
But there should be a single one available to anonymous users to register themself.
Whenever I introduce the first rule all sub requests are protected including the bottom one which is not what is required.
If I don't introduce first then the bottom request is allowed, but also all subsequent requests such as /person/myProfile can be accessed by anonymous user.
From the Spring Security docs:
You can use multiple elements to define different access requirements for different sets of URLs, but they will be evaluated in the order listed and the first match will be used. So you must put the most specific matches at the top.
Also, spring uses ant-style pattern matching by default, which doesn't include the parameters when trying to make a match. You're wanting to also match on whether or not a parameter exists. In order to do that, you're going to need to set regex matching via the request-matcher attribute on http.
<http request-matcher="regex">
<security:intercept-url pattern="\A/person\?reg.*\Z" access="isAnonymous()" />
<security:intercept-url pattern="\A/person/.*\Z" access="isAuthenticated()" />
</http>
Related
I have this case in my project:
Imagine we have these two lines to define Spring Security access rules:
<intercept-url pattern="/xxx/*" access="isAuthenticated() and (hasRole('roleA') or hasRole('roleB'))" />
<intercept-url pattern="/xxx/yyy*" access="isAuthenticated() and (hasRole('role1') or hasRole('role2'))" />
These two patterns are nested, and an user may have a combination of roles like "roleA" and "role1", or "roleA" and "role2". What I want to achieve, is make users have "roleC" and "role1" cannot access to /xxx/yyy*.
So my question is:
When user with "roleC" and "role1" wants to get access with pattern "xxx/yyy222.html", will all lines of access rule be checked, or only the second line is checked? When considering the access rules for the second line, can I take it for granted that user can get into the url "xxx/yyy*" have only "roleA" and "roleB", or must I put complete rules for each single lines of rule?
The intercept-urls are processed in the order they are defined, the first with a pattern that matches the request path decides the access.
When user with "roleC" and "role1" wants to get access with pattern
"xxx/yyy222.html", will all lines of access rule be checked, or only
the second line is checked?
This matches the pattern of the first line and access will be denied.
When considering the access rules for the second line, can I take it
for granted that user can get into the url "xxx/yyy*" have only
"roleA" and "roleB", or must I put complete rules for each single
lines of rule?
The second line will never be evaluated. Be sure to specify more specific pattern first.
What I want to achieve, is make users have "roleC" and "role1" cannot
access to /xxx/yyy*.
Maybe you want something like:
<intercept-url pattern="/xxx/yyy*" access="isAuthenticated() and !(hasRole('roleC') and hasRole('role1'))" />
I am using the OmniFaces <o:viewParam> taghandler in my current project. I like it, it's great. And even greater is the <o:viewParamValidationFailed>. Now, we are able to send an error if validation or conversion fails. But I wonder, whether it is possible to distinguish between conversion failure and validation failure.
Let's say we want to send a Bad Request if the given view param in malformed and can not be converted; for that matter send a Not Found if conversion succeeded, but the object could not be found in the database; and send a Forbidden if the successfully fetched object should not be accessed by the user.
Does anybody know a way to achieve this?
It's unfortunately not possible to distinguish between a ConverterException and ValidatorException when you've only UIInput#isValid() at hands. Theoretically, you could check and test the faces message to see if it represents a conversion or validation error, but this is not a robust approach, certainly not when it's localized.
On the other hand, it's possible to declare multiple view parameters on the same parameter name. You do not necessarily need to specify a value to set it as model value.
Here's an example based on your description, note that the model value is only set on the last one:
<o:viewParam name="foo">
<f:converter converterId="yourFooConverter" />
<o:viewParamValidationFailed sendError="400" />
</o:viewParam>
<o:viewParam name="foo">
<f:converter converterId="yourFooConverter" />
<f:validateRequired />
<o:viewParamValidationFailed sendError="404" />
</o:viewParam>
<o:viewParam name="foo" value="#{bean.foo}">
<f:converter converterId="yourFooConverter" />
<f:validateRequired />
<f:validator validatorId="yourRestrictedAccessValidator" />
<o:viewParamValidationFailed sendError="403" />
</o:viewParam>
To avoid the expensive job of calling the DB on every conversion, let the YourFooConverter implementation store the converted value as a custom attribute of the FacesContext and then check it on every pass.
Spring security configuration:
intercept-url pattern="/login.jsp*" access="IS_AUTHENTICATED_ANONYMOUSLY"`
intercept-url pattern="/**" access="ROLE_USER"
form-login login-page='/login.jsp'
I am new in spring security. I have some questions:
what is meaning of "IS_AUTHENTICATED_ANONYMOUSLY"?
why there is error in it? (i read in documentation that there is error in it due to infinite loop.)
If there are more intercept rules than how it will be evaluate?
First things first.. Always Always always give anonymous access to your Login and Registration screens. ANONYMOUS= NO AUTHENTICATION REQUIRED. Failing to do so will never allow any user to use ur application and ur page will end up loading forever.. Also keep your static resources (CSS, JS, Images etc) away from security filters. In MOST of the cases these static resources never require security
This code snippet explains the above description:
<security:http pattern = "/css/**" security = "none"/>
<security:http pattern = "/anonymous/**" security = "none"/>
<security:http pattern = "/loginpage/**" security = "none"/>
<security:http pattern = "/forgotpassword/**" security = "none"/>
<security:http pattern = "/registerpage/**" security = "none"/>
<security:http pattern = "/js/**" security = "none"/>
<security:http pattern = "/images/**" security = "none"/>
IS_AUTHENTICATED_ANONYMOUSLY - this is means anyone can access this page without logged in to your system.
ROLE_USER - Means only users who have ROLE = ROLE_USER can access those URLS that match with your pattern.
If There are more intercept rules than there are follow the same as above, one - by - one but ORDER OF THIS MATERS for the matching. If your first pattern match with your requested URL than it will not look for other. so during given intercept rules you need to take care of the order in which they are written.
Hope this help.
what is meaning of "IS_AUTHENTICATED_ANONYMOUSLY"?
this means anyone can access this page without logging in.
why there is error in it?
You have an infinite loop because the login page should not be secured. The login page should not be secured for anyone to be able to enter it's credentials.
My application can use one of two web services, lets call them WS A and WS B. Both contain the same interface.
I want to perform some logic on the HTTP headers and request channel. WS B should only used on certain request channels. To decide which channel is used I have created a Java class that takes the request channel as a String parameter.
<http:outbound-gateway request-channel="XXXXX"
url-expression="'${EL EXP}'" http-method="GET"
extract-request-payload="true" expected-response-type="java.lang.String"
charset="UTF-8" reply-timeout="3000" reply-channel="XXXXX">
</http:outbound-gateway>
I then read that the url-expression is evaluated when the context is initialised.
source : http://forum.springsource.org/showthread.php?113446-Usage-of-expressions-in-http-namespace-element-url
<int-http:outbound-gateway request-channel="requestChannel"
url="dummy"
http-method="GET" extract-request-payload="true" expected-response-type="java.lang.String"
charset="UTF-8" reply-timeout="3000" reply-channel="sysLoggerRequestChannel">
<int-http:uri-variable name="teststring" expression="test"/>
<int-http:uri-variable name="url" expression="evalClass.getDestinationForChannel(teststring)"/>
</int-http:outbound-gateway>
The problem with this approach is that the expressions in int-http:uri-variable do not seem to be evaluation.
All this makes me believe I am taking the wrong approach. Any help would be very appreciated.
If you have two separate web service end points and a way to determine which one to use per message then a Spring Integration router would be better suited to directing your messages around. This has the added advantage that you can do further processing on your messages specific to the endpoint prior to sending.
There are many many ways to configure a router, including writing an entirely custom one, so I suggest reading through that whole section to see what will work best for you.
A quick example based on message type:
<int:payload-type-router input-channel="requests">
<int:mapping type="my.business.WebServiceARequest" channel="wsA" />
<int:mapping type="my.business.WebServiceBRequest" channel="wsB" />
</int:payload-type-router>
<int-http:outbound-gateway request-channel="wsA" url="http://wsA.com/whatever"
... />
<int-http:outbound-gateway request-channel="wsB" url="http://wsB.com/foo"
... />
To refer to a Spring Bean you should use #. So instead of expression="evalClass.getDestinationForChannel(teststring)" it will be expression="#evalClass.getDestinationForChannel(teststring)".
I have two patterns for which same filters are to be applied.
<security:filter-chain pattern="/home.do*" filters="a,b,c,d" />
<security:filter-chain pattern="/login.do*" filters="a,b,c,d" />
Along with the above two there are many other unique patterns and a generic pattern /**/*.do*/** as well.
Can I specify comma separated multiple patterns in the pattern attribute like below:
<security:filter-chain pattern="/home.do*, /login.do*" filters="a,b,c,d" />
Yes you can, but the implementation depends on Spring Security version you are using.
In 3.0 you can use path-type attribute:
<security:filter-chain-map path-type="regex">
<security:filter-chain pattern="^/(test|home)\.do$" filters="a,b,c,d" />
<!-- other patterns -->
<security:filter-chain-map path-type="regex">
In 3.1 you can either use request-matcher attribute (which deprecates path-type, just change path-type to request matcher in previous example), or you can use multiple http elements with request-matcher-ref bean and do this:
<http pattern="test.do,home.do" security="none" <!-- 'none' as example -->
request-matcher-ref="requestMatcher" />
<bean id="requestMatcher" class="com.example.CommaSeparatedRequestMatcher" />
with your custom implementation of CommaSeparatedRequestMatcher (which splits URL created from request and triest to match any string), based on, for example, RegexRequestMatcher.