i Want that Spring security can block accces to dynamic URL changes
http://domain.com//** shareURL is a ID, the problem i have is that if i access with shareID 1,the program tell me i need to login(ALL OK) but when if i logged try to run shareID 2, the program should tell me again to relogin because is not my session, but now.. the program permit me access this shareID.
how can i block that user change shareID without login?
Too i'm using pre-auth because if especific shareID not require password, the spring security by pass the auth to avoid the login page and inject a fake Auth. The best problem if this
ShareID 1 (not require password) ShareID 2 (Require specific password)
if i log with share 1 (auto login without password) i can acces to shareID 2 (because i'm logged) but shouldn't do it.
Spring-security.xml(Only the problem config)
-->
<!-- Share Authentication Manager-->
<beans:bean id="shareUserService" class="com.segator.ownline.service.impl.OwnlineShareSecurityService" />
<beans:bean id="preAuthenticationProvider" class="org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider">
<beans:property name="preAuthenticatedUserDetailsService"
ref="shareUserService" />
</beans:bean>
<beans:bean id="preAuthFilter"
class="com.segator.ownline.controller.config.ShareLinkAuthenticationFilter">
<beans:property name="authenticationManager" ref="appControlAuthenticationManager" />
</beans:bean>
<authentication-manager alias="appControlAuthenticationManager" id="shareAuth">
<authentication-provider ref="preAuthenticationProvider" />
</authentication-manager>
I think i need a extra configuration that tell spring security that if user change shareID require login, for exemple if i can implement proper method to interceptor-url exemple
intercept-url pattern="/share/**" access="hasRole('ROLE_SHARE') && sameShareIDLogged()"
Sorry for my bad english, i just studing for now.
