0

I have integrated my Spring MVC application Shiro for security reasons.

My all urls are working fine, but i have few html pages which can be directly accessed without being hit on my controllers.

How can i protect those pages, meaning if user is not logged in to application, and tries to open html page, he should be redirected to login page.

<filter>
        <filter-name>shiroFilter</filter-name>
        <filter-class>org.springframework.web.filter.DelegatingFilterProxy
        </filter-class>
        <init-param>
            <param-name>targetFilterLifecycle</param-name>
            <param-value>true</param-value>
        </init-param>
    </filter>

    <filter-mapping>
        <filter-name>shiroFilter</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>

Application url

http://ip:port - works fine, redirects to login page

http://ip:port/html/ - opens html pages

How can i protect this.

alexbt
  • 16,415
  • 6
  • 78
  • 87
Ankur Singhal
  • 26,012
  • 16
  • 82
  • 116

1 Answers1

0

I would make whatever page that redirect after the login page the default page.

In your controller, protect that page with @Secured("USER_ROLE") annotation at method level to a user role of a regular user. In fact, I would do that with every page.

The user should be redirected back to the login page, the go to the page they tried to reach.

bmarkham
  • 1,590
  • 15
  • 27