Monday, 4 March 2013

Spring Security Not Working with particular url pattern

Spring security provides greater flexibility and ease in terms of securing your web application.Recently i found that a particular url was not working in spring security[whereas other urls were working perfectly]. it completely bypassing the url although it was defined in the same way as other urls . Here is my spring security configuration all urls are secured except /TestServlet
<security:http auto-config="true">
 <security:logout logout-success-url="/login" invalidate-session="true" logout-url="/logout"/>
 <security:intercept-url pattern="/login.jsp" filters="none" />
 <security:intercept-url pattern="/login" filters="none" />
 <security:intercept-url pattern="/logout" filters="none" />
 <security:intercept-url pattern="/TestServlet"  access="ROLE_ADMIN" />
 <security:form-login login-page="/login"
 default-target-url="/home" authentication-failure-url="/login?error=1"
  always-use-default-target="true"/> 
</security:http>
Later , i found out that spring security filter converts the matching url pattern[which we define in intercept-url pattern tag] to lower case , so if you have camel case or upper case url pattern(one or more capital letters in url pattern), it will not match with the spring security pattern , thus this pattern will be ignored by spring security filter. There is a tag available to disable this converting of matching url pattern to lower case. just add lowercase-comparisons attribute to false in http tag in spring security like this :
<security:http auto-config="true" lowercase-comparisons="false">
 <security:logout logout-success-url="/login" invalidate-session="true" logout-url="/logout"/>
 <security:intercept-url pattern="/login.jsp" filters="none" />
 <security:intercept-url pattern="/login" filters="none" />
 <security:intercept-url pattern="/logout" filters="none" />
 <security:intercept-url pattern="/TestServlet"  access="ROLE_ADMIN" />
 <security:form-login login-page="/login"
 default-target-url="/home" authentication-failure-url="/login?error=1"
  always-use-default-target="true"/> 
</security:http>