Home > Enterprise >  Exclude certain URL patterns from spring security
Exclude certain URL patterns from spring security

Time:05-17

I am using Spring Security 4 in my Struts app and want all the URLs to go through spring security except the URLs starting with /rest. How can I get this to work as I understand that regex patterns are not allowed to be used in web.xml. Hence, <url-pattern>^(?!\/rest).*$</url-pattern> does not work.

web.xml

<filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>^(?!\/rest).*$</url-pattern>              <!-- Doesn't work -->
</filter-mapping>

security.xml

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns:security="http://www.springframework.org/schema/security"
       xmlns:beans="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xsi:schemaLocation="http://www.springframework.org/schema/beans
    http://www.springframework.org/schema/beans/spring-beans.xsd
    http://www.springframework.org/schema/security
    http://www.springframework.org/schema/security/spring-security.xsd">

    <security:http use-expressions="true" create-session="ifRequired" request-matcher="regex">
        <security:intercept-url pattern="^\/(css|fonts|help|images|layouts|scripts).*$" access="permitAll"/>
        <security:intercept-url pattern="^\/login.*$" access="permitAll"/>
        <security:intercept-url pattern="^\/logout.*$" access="permitAll"/>
        <security:intercept-url pattern="^\/accessDenied.cprms$" access="permitAll"/>

        <security:intercept-url pattern="^.*.jsp$" access="isAuthenticated()"/>
        <security:intercept-url pattern="^\/errors\/.*$" access="hasAnyAuthority('superRole','systemRole','supportRole','adminRole','businessRole','operationalRole','changePasswordRole')"/>
        <security:intercept-url pattern="^\/control\/.*$" access="isAuthenticated()"/>
        <security:intercept-url pattern="^\/control\/jobStatus.cprms$" access="isAuthenticated()"/>
        <security:intercept-url pattern="^\/sysad\/.*$" access="hasAnyAuthority('superRole','systemRole','supportRole')"/>
        <security:intercept-url pattern="^\/userad\/.*$" access="hasAnyAuthority('superRole','adminRole')"/>
        <security:intercept-url pattern="^\/myprofile\/.*$" access="hasAnyAuthority('superRole','systemRole','supportRole','adminRole','businessRole','operationalRole','changePasswordRole')"/>
        <security:intercept-url pattern="^\/config\/carpark\/carParkDetails.cprms$" access="isAuthenticated()"/>
        <security:intercept-url pattern="^\/config\/carpark\/.*$" access="hasAnyAuthority('superRole','systemRole','supportRole','adminRole','businessRole','operationalRole')"/>
        <security:intercept-url pattern="^\/config\/product\/.*$" access="hasAnyAuthority('superRole','systemRole','supportRole','adminRole','businessRole','operationalRole')"/>
        <security:intercept-url pattern="^\/config\/splevt\/.*$" access="hasAnyAuthority('superRole','systemRole','supportRole','adminRole','businessRole','operationalRole')"/>
        <security:intercept-url pattern="^\/config\/alert\/.*$" access="hasAnyAuthority('superRole','systemRole','supportRole','adminRole','businessRole','operationalRole')"/>
        <security:intercept-url pattern="^\/config\/location\/.*$" access="hasAnyAuthority('superRole','supportRole','nolocation')"/>
        <security:intercept-url pattern="^\/config\/competitor\/details\/.*$" access="hasAnyAuthority('superRole','systemRole','supportRole','adminRole','businessRole','operationalRole')"/>
        <security:intercept-url pattern="^\/config\/competitor\/product\/.*$" access="hasAnyAuthority('superRole','systemRole','supportRole','adminRole','businessRole','operationalRole')"/>
        <security:intercept-url pattern="^\/config\/consolidator\/interface\/.*$" access="hasAnyAuthority('superRole','adminRole')"/>
        <security:intercept-url pattern="^\/config\/consolidator\/details\/.*$" access="hasAnyAuthority('superRole','systemRole','supportRole','adminRole','businessRole','operationalRole')"/>
        <security:intercept-url pattern="^\/config\/consolidator\/product\/.*$" access="hasAnyAuthority('superRole','systemRole','supportRole','businessRole','operationalRole')"/>
        <security:intercept-url pattern="^\/monitor\/config\/.*$" access="hasAnyAuthority('superRole','systemRole','supportRole','adminRole','businessRole','operationalRole')"/>
        <security:intercept-url pattern="^\/monitor\/configure\/.*$" access="hasAnyAuthority('superRole','systemRole','supportRole','adminRole','businessRole','operationalRole')"/>
        <security:intercept-url pattern="^\/monitor\/operation\/.*$" access="hasAnyAuthority('superRole','systemRole','supportRole','adminRole','businessRole','operationalRole')"/>
        <security:intercept-url pattern="^\/recommendedSettings.cprms$" access="isAuthenticated()"/>
        <security:intercept-url pattern="^\/.*errors.cprms$" access="isAuthenticated()"/>
        <security:intercept-url pattern="^\/upload\/uploadExtract\/.*$" access="hasAnyAuthority('uploadExtractRole')"/>

        <security:intercept-url pattern="^\/.*$" access="isAuthenticated()"/>

        <security:form-login
                login-page="/loginRedirector.jsp"
                login-processing-url="/login"
                authentication-failure-handler-ref="authenticationFailureHandler"
                default-target-url="/welcome.jsp"
                always-use-default-target="true"
                username-parameter="j_username"
                password-parameter="j_password"
        />
        <security:logout logout-success-url="/loginRedirector.jsp" />

        <security:session-management invalid-session-url="/loginRedirector.jsp">
            <security:concurrency-control max-sessions="1" />
        </security:session-management>
        <security:csrf disabled="true"/>
    </security:http>

    <security:authentication-manager erase-credentials="false">
        <security:authentication-provider>
            <security:password-encoder ref="passwordEncoder" />
            <security:jdbc-user-service
                data-source-ref="globalDataSource"
                users-by-username-query="SELECT user_id AS `username`, PASSWORD AS `password`, IF(user_locked = 'N', 1, 0) AS `enabled` FROM `user` WHERE user_id = ?"
                authorities-by-username-query="SELECT u.user_id AS `username`, r.NAME AS `role` FROM `user` u INNER JOIN user_role ur ON ur.user_fk = u.user_pk INNER JOIN role AS r ON ur.role_fk = r.role_pk WHERE u.user_id = ?"
            />
        </security:authentication-provider>
        <security:authentication-provider ref="ssoAuthenticationProvider" />
    </security:authentication-manager>

    <beans:bean id="authenticationFailureHandler"  />
    <beans:bean id="passwordEncoder" />
    <beans:bean id="ssoAuthenticationProvider"  />

</beans:beans>

CodePudding user response:

I've never used it but I think this could work for you: DelegatingFilterProxy.

To use it, you need to add the snippet below to your web.xml:

<filter>
    <filter-name>filterProxy</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>

<filter-mapping>
    <filter-name>filterProxy</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

and then configure the filterChainProxy bean to whitelist the /rest URL whilst applying all filters you need to the general case. Here is an example:

<bean id="filterChainProxy" >
<constructor-arg>
    <list>
    <sec:filter-chain pattern="/rest/**" filters="none" />
    <sec:filter-chain pattern="/**" filters="
        UsernamePasswordAuthenticationFilter,
        basicAuthenticationFilter,
        formLoginFilter,
        securityContextPersistenceFilterWithASCTrue,
        exceptionTranslationFilter,
        filterSecurityInterceptor" />
    </list>
</constructor-arg>
</bean>

The order above is important. The more restrict URLs must come first.

CodePudding user response:

As per my comment on the question, you may not need to define the controller to not have any security settings. But if you do, there are already other controllers in your security.xml that do something similar:

<security:intercept-url pattern="^\/rest/*$" access="permitAll"/>

Page link:https//www.codepudding.com/Enterprise/409784.html

Prev:Springfox Swagger 2 - Method paths(regex ("string")) does not work
Next:Is this correct implementation of pipelining in StackExchange.Redis in .NET?
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding