Home/ Questions/Q 7888107
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-03T05:45:07+00:00

I use spring-security to secure my web, when I’m learning it by spring-roo generated

  • 0

I use spring-security to secure my web, when I’m learning it by spring-roo generated config file in applicationContext-security.xml, in <http> node:

 <intercept-url pattern="/userses?form" access="hasRole('ROLE_ADMIN')" />

It means when you want to create a Users object, firstly you need to login to get ADMIN permission. But actually it didn’t work. Check the log:

2012-05-06 11:39:11,250 [http-8088-7] DEBUG org.springframework.security.web.util.AntPathRequestMatcher - Checking match of request : '/userses'; against '/userses?form'

The framework use the /userses instead of /userses?form to compare with, authentication process skipped as string didn’t match. To verify this I also try another url:

<intercept-url pattern="/userses/abc" access="hasRole('ROLE_ADMIN')" />

I requested the /userses/abc, it detected user is not authorized, and moved to /login page, checked the log:

2012-05-06 11:46:44,343 [http-8088-7] DEBUG org.springframework.security.web.util.AntPathRequestMatcher - Checking match of request : '/uesrses/abc'; against '/userses/abc'

So my question is: Doesn’t spring-secure 3 support “?parameter” pattern or I missed something to config to support this?
PS: All the code is generated by roo without modification, also wonder why it doesn’t work.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    By default spring security uses ant style matching, which can’t match on parameters. Regex matching, however, can match on parameters

    Try defining it like so:

    <http request-matcher="regex">
  <security:intercept-url pattern="\A/userses\?form.*\Z" access="hasRole('ROLE_ADMIN')" />
</http>

    Don’t know why Roo doesn’t do this automatically. Seems like it should.

    • 0