Home/ Questions/Q 8880219
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-14T20:07:30+00:00

Using Spring MVC + Security I have a business requirement that the users from

  • 0

Using Spring MVC + Security I have a business requirement that the users from SEC (Security team) has full access to the application and FRAUD (Anti-fraud team) has only access to the pages that URL not contains the words “block” or “update” with case insensitive.

Below, a test of the regular expressions used in spring-security.xml (I’m not a regex specialist, improvements are welcome =]):

import java.util.Arrays;
import java.util.List;

public class RegexTest {

    public static void main(String[] args) {

        List<String> pathSamples = Arrays.asList(
                "/index",
                "/index.*",
                "/index/",
                "/cellphone/block",
                "/cellphone/block.*",
                "/cellphone/block/",
                "/cellphone/confirmBlock",
                "/cellphone/confirmBlock.*",
                "/cellphone/confirmBlock/",
                "/user/update",
                "/user/update.*",
                "/user/update/",
                "/user/index",
                "/user/index.*",
                "/user/index/",
                "/search",
                "/search.*",
                "/search/",
                "/doSearch",
                "/doSearch.*",
                "/doSearch/");

        for (String pathSample : pathSamples) {
            System.out.println("Path sample: " + pathSample
                    + " - SEC: " + pathSample.matches("^.*$")
                    + " | FRAUD: " + pathSample.matches("^(?!.*(?i)(block|update)).*$"));
        }
    }
}

Bellow, the console result of Java class above:

Path sample: /index - SEC: true | FRAUD: true
Path sample: /index.* - SEC: true | FRAUD: true
Path sample: /index/ - SEC: true | FRAUD: true
Path sample: /cellphone/block - SEC: true | FRAUD: false
Path sample: /cellphone/block.* - SEC: true | FRAUD: false
Path sample: /cellphone/block/ - SEC: true | FRAUD: false
Path sample: /cellphone/confirmBlock - SEC: true | FRAUD: false
Path sample: /cellphone/confirmBlock.* - SEC: true | FRAUD: false
Path sample: /cellphone/confirmBlock/ - SEC: true | FRAUD: false
Path sample: /user/update - SEC: true | FRAUD: false
Path sample: /user/update.* - SEC: true | FRAUD: false
Path sample: /user/update/ - SEC: true | FRAUD: false
Path sample: /user/index - SEC: true | FRAUD: true
Path sample: /user/index.* - SEC: true | FRAUD: true
Path sample: /user/index/ - SEC: true | FRAUD: true
Path sample: /search - SEC: true | FRAUD: true
Path sample: /search.* - SEC: true | FRAUD: true
Path sample: /search/ - SEC: true | FRAUD: true
Path sample: /doSearch - SEC: true | FRAUD: true
Path sample: /doSearch.* - SEC: true | FRAUD: true
Path sample: /doSearch/ - SEC: true | FRAUD: true

Tests

Scenario 1

Bellow, the important part of spring-security.xml:

<security:http entry-point-ref="entryPoint" request-matcher="regex">

    <security:intercept-url pattern="^.*$" access="ROLE_SEC" />
    <security:intercept-url pattern="^(?!.*(?i)(block|update)).*$" access="ROLE_FRAUD" />

    <security:access-denied-handler error-page="/access-denied.html" />

    <security:form-login always-use-default-target="false"
        login-processing-url="/doLogin.html"
        authentication-failure-handler-ref="authFailHandler"
        authentication-success-handler-ref="authSuccessHandler" />
    <security:logout logout-url="/logout.html"
        success-handler-ref="logoutSuccessHandler" />
</security:http>

Behaviour:

  • FRAUD group **can’t” access any page
  • SEC group works fine

Scenario 2

NOTE that I only changed the order of intercept-url in spring-security.xml bellow:

<security:http entry-point-ref="entryPoint" request-matcher="regex">

    <security:intercept-url pattern="^(?!.*(?i)(block|update)).*$" access="ROLE_FRAUD" />
    <security:intercept-url pattern="^.*$" access="ROLE_SEC" />

    <security:access-denied-handler error-page="/access-denied.html" />

    <security:form-login always-use-default-target="false"
        login-processing-url="/doLogin.html"
        authentication-failure-handler-ref="authFailHandler"
        authentication-success-handler-ref="authSuccessHandler" />
    <security:logout logout-url="/logout.html"
        success-handler-ref="logoutSuccessHandler" />
</security:http>

Behaviour:

  • SEC group **can’t” access any page
  • FRAUD group works fine

Conclusion

I did something wrong or spring-security have a bug.

The problem already was solved in a very bad way, but I need to fix it quickly. Anyone knows some tricks to debug better it without open the frameworks code?

Cheers,

Felipe

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    The first configuration is wrong because the universal matcher is first so the second one will be ignored. The second configuration will exclude the SEC role from anything the first matches, so it sounds like you want something more like

    <intercept-url pattern="^(?!.*(?i)(block|update)).*$" access="ROLE_FRAUD,ROLE_SEC" />
<intercept-url pattern="^.*$" access="ROLE_SEC" />

    which has the SEC attribute in both patterns.

    If that’s still not what you require then please post the relevant debug log, showing Spring Security selecting the attributes for a particular request (this is logged in detail) and explain how it differs from what you expect.

    • 0