View RSS Feed

Spring Framework

Request Interception with Spring Security

Rate this Entry
by , 11-27-2011 at 11:54 PM (2986 Views)
This is the last of a series of tips on Spring Security. From my previous tips, you should be able to configure Spring Security as well as setup login and logout. In the last tip, I will show you how to intercept requests. The <intercept-url> element is the key in the request-level security. Its pattern attribute is provide with a URL pattern that will be matched against incoming requests. If any requests match the pattern, then the <intercept-url>ís security rules will be applied. So if you have a <intercept-url> element like the following:

Java Code:
<intercept-url pattern="/**" access="ROLE_USER" />
The pattern attribute takes an Ant-style path or you can use regular expressions by setting the <http> elementís path-type attribute to regex.

I have set the pattern attribute to /**, indicating that I want all requests, irrespective of the URL, to require ROLE_USER access. Using /** basically is global as it encompasses practically everyone.You can define more specific patterns depending on your needs.
If I wanted to have reserved areas of the Springexample application that are restricted to administrative users. I can insert the following <intercept-url> just before the one I already have setup:

Java Code:
<intercept-url pattern="/admin/**" access="ROLE_ADMIN" />
Where the first <intercept-url> entry makes sure that the user has ROLE_USER authority for most of the application, this <intercept-url> restricts access to the /admin branch of the siteís hierarchy to users with ROLE_ADMIN authority.
You can setup as many <intercept-url> entries that you need to secure various paths in your web application. The key is to know that the <intercept-url> rules are applied top to bottom. Thatís it! See you next time.

Submit "Request Interception with Spring Security" to Facebook Submit "Request Interception with Spring Security" to Digg Submit "Request Interception with Spring Security" to Submit "Request Interception with Spring Security" to StumbleUpon Submit "Request Interception with Spring Security" to Google