Uploaded image for project: 'Spring Security'
  1. Spring Security
  2. SEC-1400

Support composition of intercept-url lists

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Major
    • Resolution: Won't Fix
    • Affects Version/s: 3.0.1
    • Fix Version/s: 3.0.2
    • Component/s: Namespace
    • Labels:
      None

      Description

      I would like the security namespace to be able to specify lists of <url-interceptor> elements separately from the <http> element, and then wire them into the active <http> element depending some configuration property.

      This is illustrative of the kind of thing I would like to be able to do:

      <sec:http>
      <sec:intercept-url pattern="/images/*" filters="none" />
      <sec:include-intercept-url-list ref="$

      {param}

      " />
      <sec:intercept-url pattern="/*.gif" filters="none" />
      ...
      </sec:http>

      ... and in a different file ...

      <sec:intercept-url-list id="some-id">
      <sec:intercept-url pattern="/annotea/admin/*" access="ROLE_ADMIN" />
      <sec:include-intercept-url-list ref="some-other-id" />
      </sec:intercept-url-list>

      ... and in a Java properties file

      param=some-id

      Ideally, intercept url lists would be configurable to the same extent that regular spring beans are configurable; e.g. using <bean:import>, <bean:alias>, the new Spring EL, PropertyPlaceholderConfigurer and so on. But I'd be happy with anything that allows me to factor out the interceptor lists and compose them under the control of the System properties.

        Activity

        Hide
        crawley Stephen Crawley added a comment -

        Well it works, though there are a couple of gotchas:

        1) It is not possible use the filter="none" form of an <intercept-url> in a separate FilterSecurityInterceptor. That means I cannot use config switch tricks to select the URL patterns for which the security filters are bypassed.

        2) In order to wire the FilterSecurityInterceptor, you have to set the "authenticationManager" and "accessDecisionManager" properties. The authenticationManager I can name using the "alias" attribute on my <authentication-manager> element, but there is no advertised id or alias for the AccessDecisionManager that the <http> namespace creates by default. So I have to explicitly configure and wire in an AccessDecisionManager bean that is identical to the one I'd use by default.

        Show
        crawley Stephen Crawley added a comment - Well it works, though there are a couple of gotchas: 1) It is not possible use the filter="none" form of an <intercept-url> in a separate FilterSecurityInterceptor. That means I cannot use config switch tricks to select the URL patterns for which the security filters are bypassed. 2) In order to wire the FilterSecurityInterceptor, you have to set the "authenticationManager" and "accessDecisionManager" properties. The authenticationManager I can name using the "alias" attribute on my <authentication-manager> element, but there is no advertised id or alias for the AccessDecisionManager that the <http> namespace creates by default. So I have to explicitly configure and wire in an AccessDecisionManager bean that is identical to the one I'd use by default.
        Hide
        luke Luke Taylor added a comment -

        There are always other ways to do things. For example, you can write your own bypass filter and select that in DelegatingFilterProxy rather than "springSecurityFilterChain", having it skip the FilterChainProxy for URLs you don't want to be secured but direct everything else through it.

        Show
        luke Luke Taylor added a comment - There are always other ways to do things. For example, you can write your own bypass filter and select that in DelegatingFilterProxy rather than "springSecurityFilterChain", having it skip the FilterChainProxy for URLs you don't want to be secured but direct everything else through it.
        Hide
        enricogiurin Enrico Giurin added a comment -

        Even I'd be interested to have this feature, which is to have the list of intercept-url in a separated file, out of the http section. I would like to put the list of the intercept-url in the application file while having the general configuration section, in another product configuration file to be reused in many application.

        Show
        enricogiurin Enrico Giurin added a comment - Even I'd be interested to have this feature, which is to have the list of intercept-url in a separated file, out of the http section. I would like to put the list of the intercept-url in the application file while having the general configuration section, in another product configuration file to be reused in many application.
        Hide
        garpinc Keith Garry Boyce added a comment -

        If you configured a separately configured FilterSecurityInterceptor at the end of the stack you would have to change the FILTER_APPLIED functionality right? hence you have to override the entire FilterSecurityInterceptor Class?

        replacing the default interceptor by using a PostProcessor provides no way to specify which bean to replace in which context i.e if you have 2 http sections

        Show
        garpinc Keith Garry Boyce added a comment - If you configured a separately configured FilterSecurityInterceptor at the end of the stack you would have to change the FILTER_APPLIED functionality right? hence you have to override the entire FilterSecurityInterceptor Class? replacing the default interceptor by using a PostProcessor provides no way to specify which bean to replace in which context i.e if you have 2 http sections
        Hide
        issuemaster Spring Issuemaster added a comment -
        Show
        issuemaster Spring Issuemaster added a comment - This issue has been migrated to https://github.com/spring-projects/spring-security/issues/1643

          People

          • Assignee:
            luke Luke Taylor
            Reporter:
            crawley Stephen Crawley
          • Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development