Currently it secures the jsp pages and can display them BUT the REST endpoints CAN NOT be found (404 for all rest AJAX Calls). I have done other things to change it were it finds the rest endpoints, but then the HTML cant be found and the security checks arent being performed.
What am I missing?
security.xml
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<http pattern="/images/**" security="none"/>
<http pattern="/css/**" security="none"/>
<http pattern="/js/**" security="none"/>
<http auto-config="true" disable-url-rewriting="true">
<intercept-url pattern="/login-page.html" access="ROLE_ANONYMOUS"/>
<intercept-url pattern="/**" access="ROLE_USER, ROLE_ADMIN" />
<form-login login-page='/login-page.html' default-target-url="/static-page.jsp" />
</http>
<authentication-manager>
<authentication-provider>
<jdbc-user-service data-source-ref="dataSource"
users-by-username-query="select USERNAME, PASSWORD, ENABLED
from USERS where USERNAME=?"
authorities-by-username-query="
select U.USERNAME, UR.AUTHORITY from USERS U, ROLES UR
where U.USERNAME=UR.USERNAME and U.USERNAME=?"
/>
</authentication-provider>
</authentication-manager>
</beans:beans>
web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>classpath:server-context.xml, classpath:spring-security.xml</param-value>
</context-param>
<listener>
<listener-class>org.springframework.web.util.Log4jConfigListener</listener-class>
</listener>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<servlet>
<servlet-name>jersey-servlet</servlet-name>
<servlet-class>
com.sun.jersey.spi.spring.container.servlet.SpringServlet</servlet-class>
<init-param>
<param-name>com.sun.jersey.config.property.packages</param-name>
<param-value>service.admin</param-value>
</init-param>
<init-param>
<param-name>com.sun.jersey.api.json.POJOMappingFeature</param-name>
<param-value>true</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>jersey-servlet</servlet-name>
<url-pattern>/test-app/*</url-pattern>
</servlet-mapping>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
</web-app>
Under webapp folder I have the js & css & images folders plus the *.html and *.jsp files under WEB-INF is where the web.xml folder is. Is there someplace else I should put the html files and how would I map it in the web.xml.
In order to secure your HTML files, you’ll first need to place them in a secure location. The WEB-INF folder is the only folder deployed in your application that is not accessible by HTTP; thus, a folder there is a good place to keep your HTML files. I recommend /WEB-INF/html.
Next, you’ll need to tell Spring to map all requests for *.html to the /WEB-INF/html folder. This needs to be placed inside a xml element in your Spring servlet.xml file.
html-servlet.xml:
See How To Secure MVC Resources for more information.
You’ll need to add some http entries in your security.xml file for each HTML file:
This uses the Spring filter to check the resource and redirect it based on the user’s role.
Lastly, you’ll need an entry in web.xml for a servlet that handles requests to *.html:
web.xml: