I am using Spring Security 3.0.3 for a project.
This project has 3 areas which should be accessible for different people
Therefore I create the following structure
– WEB-INF/ (for everybody = unprotected)
– WEB-INF/app (for users = ROLE_USER)
– WEB-INF/app/admin.jsf (for admins = ROLE_ADMIN)
That admin.jsf is in the same directory I can’t change unfortunatly.
My user info is loaded from the database.
They are defined like:
<bean id="preAuthenticatedProcessingFilterEntryPoint" class="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint"/> <security:http entry-point-ref="preAuthenticatedProcessingFilterEntryPoint" >
<security:custom-filter position="PRE_AUTH_FILTER" ref="MyFilter"/>
<security:intercept-url pattern="/app/admin.jsf" access="ROLE_ADMIN" />
<security:intercept-url pattern="/app/**" access="ROLE_USER" />
<security:intercept-url pattern="/**" access="" />
</security:http>
Now, everything works great. Userdata is loaded, roles are set according to the DB but unfortunatly
- the unprotected area is accessable for all (thats ok)
- admins can see every page (since they are ROLE_USER too)
- role users CAN NOT enter the pages in app
Does anyone have a hint what I did wrong?
I am testing it locally and the browser url is: http://localhost:8080/my_app/app/admin.jsf
So far I was able to identify source of the problem that spring security ignores my roles. The patterns of the intercept urls are working, unfortunatly my defined roles don’t.
I finally was able to identify the problem: a colleague checked in a second config file and I modiefied the wrong one. grml
The problem is that the patterns in the configuration are URL patterns, this is NOT the location of your jsf files or within the application.
So if you are not accessing this jsf via:
http://<server>:<port>/<ApplicationName>/app/admin.jsfthen you just need to correct the URL pattern to the url you really use.