1

I have a simple Spring Security config in root context:

    <security:http auto-config="true">
    <security:intercept-url pattern="/trac" access="ROLE_ADMIN" />

    <security:form-login login-page="/login" 
           default-target-url="/home"   
           authentication-failure-url="/loginfailed"/>
    <security:logout logout-success-url="/logout" />
</security:http>

I would like to secure all requests that come to my app. My Context root is 'trac' so when I run the app from Eclipse it loads: http://localhost:8080/trac/ url. I thought this mapping would block any uri with /trac. Hovewer, ony /trac url itself is in fact intercepted and secured. When I paste more detailed url for instance: http://localhost:8080/trac/cars/add it's not intercepted and I can simply access any resource and adress. I also tried: 

   <security:intercept-url pattern="/trac/**" access="ROLE_ADMIN" />

with no success. How to fix this config?

jarosik
  • 4,136
  • 10
  • 36
  • 53
  • It is the pattern inside the root of your application. Just use `/**`. Remove the context root from the filter mappings. – M. Deinum Oct 20 '15 at 10:50
  • I tried this one but then with http://localhost:8080/trac/ I get: This page can’t be displayed. What works is for example: where 'cars' is a mapping on class level – jarosik Oct 20 '15 at 10:52
  • 1
    Well of course because you secured everything now, including your login page. So redirecting to the login page, will redirect to the login page, wil redirect to the login page, will redirect to the login page and so on and on and on ... So you don't want to secure everything you want free access to the login page and probably also the logout, failure URL. – M. Deinum Oct 20 '15 at 10:55
  • ok, that makes sense. Do you have any working solution to exclude /login? I tried a couple of examples from: http://stackoverflow.com/questions/3394657/spring-security-how-to-exclude-certain-resources but they all fail in my case – jarosik Oct 20 '15 at 11:05
  • Ok I got it: does the trick. It should be defined before /** otherwise it fails. Here is the reference: http://docs.spring.io/spring-security/site/docs/3.1.x/reference/springsecurity-single.html#ns-form-and-basic. Thanks @M.Deinum – jarosik Oct 20 '15 at 11:11

0 Answers0