Spring Security
  1. Spring Security
  2. SEC-1201

PropertyPlaceholderConfigurer does not work for intercept-url attributes

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Minor Minor
    • Resolution: Fixed
    • Affects Version/s: 3.0.0 M2
    • Fix Version/s: 3.0.0 RC1
    • Component/s: Namespace
    • Labels:
      None

      Description

      Hello,

      I need to define a property placeholder to configure the access for an intercept URL pattern:
      <security:http>
      <security:intercept-url pattern="/**" access="ROLE_$

      {access.role}

      " />
      </security:http>

      As the HttpSecurityBeanDefinitionParser doesn't create BeanDefinitions for any the properties (and sub-properties) that are passed to the FilterSecurityInterceptor, the PropertyPlaceholderConfigurer can't substitute them. This issue looks very equal to SEC-975, but I guess it's a little harder to solve as the pattern-access map resides deeper in the object hierarchy.

      Kind regards

      Marc

        Activity

        Hide
        Marc Rohlfs added a comment -

        BTW: Adding the following bean definitions to the Spring context serves as a workaround for the problem - but it looks a little wired, doesn't it?

        <bean class="org.springframework.security.intercept.web.FilterSecurityInterceptor">
        <security:custom-filter before="FILTER_SECURITY_INTERCEPTOR" />
        <property name="accessDecisionManager" ref="_accessManager"></property>
        <property name="authenticationManager" ref="_authenticationManager"></property>
        <property name="objectDefinitionSource">
        <bean class="org.springframework.security.intercept.web.DefaultFilterInvocationDefinitionSource">
        <constructor-arg>
        <bean class="org.springframework.security.util.AntUrlPathMatcher" />
        </constructor-arg>
        <constructor-arg>
        <bean class="java.util.LinkedHashMap">
        <constructor-arg>
        <map>
        <entry>
        <key>
        <bean class="org.springframework.security.intercept.web.RequestKey">
        <constructor-arg value="/**" />
        </bean>
        </key>
        <bean class="org.springframework.security.ConfigAttributeDefinition">
        <constructor-arg value="ROLE_$

        {access.role}

        " />
        </bean>
        </entry>
        </map>
        </constructor-arg>
        </bean>
        </constructor-arg>
        <property name="stripQueryStringFromUrls" value="true" />
        </bean>
        </property>
        </bean>

        Show
        Marc Rohlfs added a comment - BTW: Adding the following bean definitions to the Spring context serves as a workaround for the problem - but it looks a little wired, doesn't it? <bean class="org.springframework.security.intercept.web.FilterSecurityInterceptor"> <security:custom-filter before="FILTER_SECURITY_INTERCEPTOR" /> <property name="accessDecisionManager" ref="_accessManager"></property> <property name="authenticationManager" ref="_authenticationManager"></property> <property name="objectDefinitionSource"> <bean class="org.springframework.security.intercept.web.DefaultFilterInvocationDefinitionSource"> <constructor-arg> <bean class="org.springframework.security.util.AntUrlPathMatcher" /> </constructor-arg> <constructor-arg> <bean class="java.util.LinkedHashMap"> <constructor-arg> <map> <entry> <key> <bean class="org.springframework.security.intercept.web.RequestKey"> <constructor-arg value="/**" /> </bean> </key> <bean class="org.springframework.security.ConfigAttributeDefinition"> <constructor-arg value="ROLE_$ {access.role} " /> </bean> </entry> </map> </constructor-arg> </bean> </constructor-arg> <property name="stripQueryStringFromUrls" value="true" /> </bean> </property> </bean>
        Hide
        David Findlay added a comment -

        It doesn't expand parameters in the requires-channel attributed of intercept-url or in form-login either.

                <security:intercept-url pattern="/${web.auth.login_url}" access="ROLE_ANONYMOUS"/>
                <security:intercept-url pattern="/${web.auth.failure_url}" access="ROLE_ANONYMOUS"/>
                <security:intercept-url pattern="/**" access="ROLE_USER" requires-channel='${web.auth.requires.channel}'/>
                <security:form-login login-page='${web.auth.login_url}'
                            authentication-failure-url='${web.auth.failure_url}'
                            default-target-url='${web.auth.success_url}'/
        
        Show
        David Findlay added a comment - It doesn't expand parameters in the requires-channel attributed of intercept-url or in form-login either. <security:intercept-url pattern= "/${web.auth.login_url}" access= "ROLE_ANONYMOUS" /> <security:intercept-url pattern= "/${web.auth.failure_url}" access= "ROLE_ANONYMOUS" /> <security:intercept-url pattern= "/**" access= "ROLE_USER" requires-channel='${web.auth.requires.channel}'/> <security:form-login login-page='${web.auth.login_url}' authentication-failure-url='${web.auth.failure_url}' default -target-url='${web.auth.success_url}'/
        Hide
        Luke Taylor added a comment -

        Should all be fixed in trunk. Please try with a snapshot build.

        Show
        Luke Taylor added a comment - Should all be fixed in trunk. Please try with a snapshot build.

          People

          • Assignee:
            Luke Taylor
            Reporter:
            Marc Rohlfs
          • Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: