'Exclude certain URL patterns from spring security
I am using Spring Security 4 in my Struts app and want all the URLs to go through spring security except the URLs starting with /rest. How can I get this to work as I understand that regex patterns are not allowed to be used in web.xml. Hence, <url-pattern>^(?!\/rest).*$</url-pattern> does not work.
web.xml
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>^(?!\/rest).*$</url-pattern> <!-- Doesn't work -->
</filter-mapping>
security.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns:security="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security.xsd">
<security:http use-expressions="true" create-session="ifRequired" request-matcher="regex">
<security:intercept-url pattern="^\/(css|fonts|help|images|layouts|scripts).*$" access="permitAll"/>
<security:intercept-url pattern="^\/login.*$" access="permitAll"/>
<security:intercept-url pattern="^\/logout.*$" access="permitAll"/>
<security:intercept-url pattern="^\/accessDenied.cprms$" access="permitAll"/>
<security:intercept-url pattern="^.*.jsp$" access="isAuthenticated()"/>
<security:intercept-url pattern="^\/errors\/.*$" access="hasAnyAuthority('superRole','systemRole','supportRole','adminRole','businessRole','operationalRole','changePasswordRole')"/>
<security:intercept-url pattern="^\/control\/.*$" access="isAuthenticated()"/>
<security:intercept-url pattern="^\/control\/jobStatus.cprms$" access="isAuthenticated()"/>
<security:intercept-url pattern="^\/sysad\/.*$" access="hasAnyAuthority('superRole','systemRole','supportRole')"/>
<security:intercept-url pattern="^\/userad\/.*$" access="hasAnyAuthority('superRole','adminRole')"/>
<security:intercept-url pattern="^\/myprofile\/.*$" access="hasAnyAuthority('superRole','systemRole','supportRole','adminRole','businessRole','operationalRole','changePasswordRole')"/>
<security:intercept-url pattern="^\/config\/carpark\/carParkDetails.cprms$" access="isAuthenticated()"/>
<security:intercept-url pattern="^\/config\/carpark\/.*$" access="hasAnyAuthority('superRole','systemRole','supportRole','adminRole','businessRole','operationalRole')"/>
<security:intercept-url pattern="^\/config\/product\/.*$" access="hasAnyAuthority('superRole','systemRole','supportRole','adminRole','businessRole','operationalRole')"/>
<security:intercept-url pattern="^\/config\/splevt\/.*$" access="hasAnyAuthority('superRole','systemRole','supportRole','adminRole','businessRole','operationalRole')"/>
<security:intercept-url pattern="^\/config\/alert\/.*$" access="hasAnyAuthority('superRole','systemRole','supportRole','adminRole','businessRole','operationalRole')"/>
<security:intercept-url pattern="^\/config\/location\/.*$" access="hasAnyAuthority('superRole','supportRole','nolocation')"/>
<security:intercept-url pattern="^\/config\/competitor\/details\/.*$" access="hasAnyAuthority('superRole','systemRole','supportRole','adminRole','businessRole','operationalRole')"/>
<security:intercept-url pattern="^\/config\/competitor\/product\/.*$" access="hasAnyAuthority('superRole','systemRole','supportRole','adminRole','businessRole','operationalRole')"/>
<security:intercept-url pattern="^\/config\/consolidator\/interface\/.*$" access="hasAnyAuthority('superRole','adminRole')"/>
<security:intercept-url pattern="^\/config\/consolidator\/details\/.*$" access="hasAnyAuthority('superRole','systemRole','supportRole','adminRole','businessRole','operationalRole')"/>
<security:intercept-url pattern="^\/config\/consolidator\/product\/.*$" access="hasAnyAuthority('superRole','systemRole','supportRole','businessRole','operationalRole')"/>
<security:intercept-url pattern="^\/monitor\/config\/.*$" access="hasAnyAuthority('superRole','systemRole','supportRole','adminRole','businessRole','operationalRole')"/>
<security:intercept-url pattern="^\/monitor\/configure\/.*$" access="hasAnyAuthority('superRole','systemRole','supportRole','adminRole','businessRole','operationalRole')"/>
<security:intercept-url pattern="^\/monitor\/operation\/.*$" access="hasAnyAuthority('superRole','systemRole','supportRole','adminRole','businessRole','operationalRole')"/>
<security:intercept-url pattern="^\/recommendedSettings.cprms$" access="isAuthenticated()"/>
<security:intercept-url pattern="^\/.*errors.cprms$" access="isAuthenticated()"/>
<security:intercept-url pattern="^\/upload\/uploadExtract\/.*$" access="hasAnyAuthority('uploadExtractRole')"/>
<security:intercept-url pattern="^\/.*$" access="isAuthenticated()"/>
<security:form-login
login-page="/loginRedirector.jsp"
login-processing-url="/login"
authentication-failure-handler-ref="authenticationFailureHandler"
default-target-url="/welcome.jsp"
always-use-default-target="true"
username-parameter="j_username"
password-parameter="j_password"
/>
<security:logout logout-success-url="/loginRedirector.jsp" />
<security:session-management invalid-session-url="/loginRedirector.jsp">
<security:concurrency-control max-sessions="1" />
</security:session-management>
<security:csrf disabled="true"/>
</security:http>
<security:authentication-manager erase-credentials="false">
<security:authentication-provider>
<security:password-encoder ref="passwordEncoder" />
<security:jdbc-user-service
data-source-ref="globalDataSource"
users-by-username-query="SELECT user_id AS `username`, PASSWORD AS `password`, IF(user_locked = 'N', 1, 0) AS `enabled` FROM `user` WHERE user_id = ?"
authorities-by-username-query="SELECT u.user_id AS `username`, r.NAME AS `role` FROM `user` u INNER JOIN user_role ur ON ur.user_fk = u.user_pk INNER JOIN role AS r ON ur.role_fk = r.role_pk WHERE u.user_id = ?"
/>
</security:authentication-provider>
<security:authentication-provider ref="ssoAuthenticationProvider" />
</security:authentication-manager>
<beans:bean id="authenticationFailureHandler" class="com.ideas.carparkpro.core.service.impl.LoginFailureHandler" />
<beans:bean id="passwordEncoder" class="org.springframework.security.authentication.encoding.ShaPasswordEncoder"/>
<beans:bean id="ssoAuthenticationProvider" class="com.ideas.carparkpro.core.service.impl.SSOAuthenticationProvider" />
</beans:beans>
Solution 1:[1]
I've never used it but I think this could work for you: DelegatingFilterProxy.
To use it, you need to add the snippet below to your web.xml:
<filter>
<filter-name>filterProxy</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>filterProxy</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
and then configure the filterChainProxy bean to whitelist the /rest URL whilst applying all filters you need to the general case. Here is an example:
<bean id="filterChainProxy" class="org.springframework.security.web.FilterChainProxy">
<constructor-arg>
<list>
<sec:filter-chain pattern="/rest/**" filters="none" />
<sec:filter-chain pattern="/**" filters="
UsernamePasswordAuthenticationFilter,
basicAuthenticationFilter,
formLoginFilter,
securityContextPersistenceFilterWithASCTrue,
exceptionTranslationFilter,
filterSecurityInterceptor" />
</list>
</constructor-arg>
</bean>
The order above is important. The more restrict URLs must come first.
Solution 2:[2]
As per my comment on the question, you may not need to define the controller to not have any security settings. But if you do, there are already other controllers in your security.xml that do something similar:
<security:intercept-url pattern="^\/rest/*$" access="permitAll"/>
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|---|
| Solution 1 | |
| Solution 2 | mohammedkhan |