Spring Security Hiccups

In any web-application some pages are secured (only logged in and authorized users with proper role can access) and some pages are not secured such as login or landing page. But sometimes we need a mix-n-match, such as some information user can view without proper access(login) but they need rights(such as login) to perform additional activities. here is an example - in amazon or any retail site you can view products, but you need to login to buy the product - the buy now button will ask for your credentials.

 Images, css, Javascript dont require security
<sec:http pattern="/css/**" security="none"/>
<sec:http pattern="/gwt/**" security="none"/>
<sec:http pattern="/images/**" security="none"/>
<sec:http pattern="/img/**" security="none"/>

<sec:http pattern="/scripts/**" security="none"/>

Logon page needs anonymous access -
<sec:http auto-config="true" use-expressions="true">
  <sec:intercept-url pattern="/logon.do" access="hasAnyRole('ROLE_ANONYMOUS')"/>
</sec:http>

Logout or home page need a user
<sec:intercept-url pattern="/logout.do" access="hasRole('ROLE_USER')"/>
<sec:intercept-url pattern="/home.do" access="hasRole('ROLE_USER')"/>

For those pages that need both logged-in and no logon
<sec:intercept-url pattern="/yourSecuredAndUnsecuredPage.do" access="permitAll"/>

The beauty of permitAll is that, the request goes through the secuirty filter, hence for logged-in user the SecuirtyContext holds an authnetication, whereas if you leave the page <sec:http pattern="/ somePage.do"security="none"/> then no filter is used and hence for the logged-in user it will say authentication is null, hence <sec:authorize access="authenticated" var="xxxxx" /> in jsp will always set xxxx=false. the logged-in user logic will not work.

So, for mix pages use the permitAll access.

Comments

Post a Comment

Popular posts from this blog

NSSM service eats 100% CPU

Image
NSSM logstash service can cause a fatal CPU hungry outage in your clients unless you override the AppExit default value. By default it comes as default 'Restart' To change it to ' Stop service ' you need to run the following command nssm set logstash AppExit Default Exit It will change the service definition as follow Other v alid exit actions are: Restart Ignore Exit Suicide  
Read more

JPA Vs SpringJDBC

Recently I conducted many interviews for my employer, one 8-9 yrs exp candidate asked me what data access object layer do we use in our project. I was thinking a bit as , like they do with persistence - polyglot persistence, we maintain different DAO technologies - JPA, proprietary JDBC, JDO, Spring JDBC. you cannot say which one is the best. It depends on the context but definitely having so many things for performing dataaccess is not advisable. In this topic I will try to explore the JPA and Spring JDBC. Spring is a life savior, it's template concept reduces the boilerplate code but still the jdbc template comes with baggages - row mapper, SQL, parameters etc. If you have good knowledge of database schema, you want to execute stored procedure, you want more handle on your code to access the db. Then go for Spring, you can debug easily and have control on your DTO. If you need to abstract away the SQL, hide complexity, write less code, dont need to execute the stored proced...
Read more

Ignite Running in Static IP multicast mode

Apache Ignite throws multicast exception in local machine when multicast is on and internet is connect. The following is an example of multicast IP discovery  <!-- Explicitly configure TCP discovery SPI to provide list of initial nodes. -->         <property name="discoverySpi">             <bean class="org.apache.ignite.spi.discovery.tcp.TcpDiscoverySpi">                 <property name="ipFinder">                      <bean class="org.apache.ignite.spi.discovery.tcp.ipfinder. multicast . TcpDiscoveryMulticastIpFinder ">                         <property name="addresses">                             <list>               ...
Read more