Request Interception with Spring Security
by, 11-27-2011 at 11:54 PM (2226 Views)
This is the last of a series of tips on Spring Security. From my previous tips, you should be able to configure Spring Security as well as setup login and logout. In the last tip, I will show you how to intercept requests. The <intercept-url> element is the key in the request-level security. Its pattern attribute is provide with a URL pattern that will be matched against incoming requests. If any requests match the pattern, then the <intercept-url>ís security rules will be applied. So if you have a <intercept-url> element like the following:
The pattern attribute takes an Ant-style path or you can use regular expressions by setting the <http> elementís path-type attribute to regex.Java Code:<intercept-url pattern="/**" access="ROLE_USER" />
I have set the pattern attribute to /**, indicating that I want all requests, irrespective of the URL, to require ROLE_USER access. Using /** basically is global as it encompasses practically everyone.You can define more specific patterns depending on your needs.
If I wanted to have reserved areas of the Springexample application that are restricted to administrative users. I can insert the following <intercept-url> just before the one I already have setup:
Where the first <intercept-url> entry makes sure that the user has ROLE_USER authority for most of the application, this <intercept-url> restricts access to the /admin branch of the siteís hierarchy to users with ROLE_ADMIN authority.Java Code:<intercept-url pattern="/admin/**" access="ROLE_ADMIN" />
You can setup as many <intercept-url> entries that you need to secure various paths in your web application. The key is to know that the <intercept-url> rules are applied top to bottom. Thatís it! See you next time.