Spring Security
  1. Spring Security
  2. SEC-1503

HTTP request 'method' attribute of intercept-url does not appear to be respected

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Minor Minor
    • Resolution: Won't Fix
    • Affects Version/s: 3.0.2
    • Fix Version/s: 3.1.0.M1
    • Component/s: None
    • Labels:
      None

      Description

      I'm attempting to have the following:

      • GET /signin – login-page
      • POST /signin - login-proessing-url

      To do this I tried the following config:

      <http use-expressions="true">
      <!-- Authentication policy -->
      <form-login login-page="/signin" login-processing-url="/signin" authentication-failure-handler-ref="authenticationFailureHandler" />
      <logout logout-url="/signout" />
      <!-- Authorization policy -->
      <intercept-url pattern="/" access="permitAll" />
      <intercept-url pattern="/signup" access="permitAll" />
      <intercept-url pattern="/signin" filters="none" method="GET" />
      <intercept-url pattern="/signin" access="permitAll" method="POST" />
      <intercept-url pattern="/resources/**" access="permitAll" />
      <intercept-url pattern="/**" access="isAuthenticated()" />
      </http>
      

      Unfortunately, when i POST to /signin, the 'filters="none"' rule seems to be enforced (which I tried to only set on GET /signin). As a result, the filter never picks up my authentication request.

        Activity

        Hide
        Keith Donald added a comment -

        I was able to workaround this problem by making "/signin/authenticate" the login-processing URL and POSTing to it.

        Show
        Keith Donald added a comment - I was able to workaround this problem by making "/signin/authenticate" the login-processing URL and POSTing to it.
        Hide
        Luke Taylor added a comment -

        The "method" attribute only applies to the access constraint. Using filters="none" will bypass Spring Security entirely. An alternative is to use the "IS_AUTHENTICATED_ANONYMOUSLY" access attribute to specify that anonymous access is allowed.

        This situation will no longer exist in 3.1, as the "filters" attribute is no longer supported, as a result of the work on SEC-1171.

        Show
        Luke Taylor added a comment - The "method" attribute only applies to the access constraint. Using filters="none" will bypass Spring Security entirely. An alternative is to use the "IS_AUTHENTICATED_ANONYMOUSLY" access attribute to specify that anonymous access is allowed. This situation will no longer exist in 3.1, as the "filters" attribute is no longer supported, as a result of the work on SEC-1171 .

          People

          • Assignee:
            Luke Taylor
            Reporter:
            Keith Donald
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: