2

I am studying Spring Security and I am finding some difficulties understand the intercept-url's concept and to answer to this questiong that I find on my study material:

In which order do you have to write multiple intercept-url's?

So, on my study material, I found this practical example:

<beans>
    <security:http>
        <security:intercept-url pattern="/accounts/edit*"
access="ROLE_ADMIN" />
        <security:intercept-url pattern="/accounts/account*"
access="ROLE_ADMIN,ROLE_USER" />
        <security:intercept-url pattern="/accounts/**"
access="IS_AUTHENTICATED_FULLY" />
        <security:intercept-url pattern="/customers/**"
access="IS_AUTHENTICATED_ANONYMOUSLY" />
    </security:http>
</beans>

And it is specified that:

intercept-urls are evaluated in the order listed: first match is used, put specific matches first.

But what exatly means?

So I know that the intercept-url's of the security namespace are used to define what URL are to secure (correct me if I am asserting wrong thing).

So in the previous example are secured these URLs:

  • /accounts/edit*
  • /accounts/account*
  • /accounts/**
  • /customers/**

But what exatly represent the following access roles?

For example for the /accounts/edit* URL is specified the access="ROLE_ADMIN"

For the /accounts/account* URL is specified the access="ROLE_ADMIN,ROLE_USER"

and so on. What exactly means? I think that it means, but I am abssolutly not sure about it, that if an user try to access to the /accounts/edit* it have to be an administrator instead if he try to access to /accounts/account* it could be an administrator but also a normal user.

Is this interpretation correct or is it not correct?

If it is correct how can I specify if an user "belong" to ROLE_ADMIN or ROLE_USER? What exactly represent and where is it definied?

And what exactly means that intercept-urls are evaluated in the order listed: first match is used, put specific matches first ?

Gab
  • 7,869
  • 4
  • 37
  • 68
AndreaNobili
  • 40,955
  • 107
  • 324
  • 596
  • The role itself is defined by you - you can create as many roles a you want and you can give them any names you want. Then you can specify what each role can or cannot do. About "intercept-urls are evaluated in the order listed: first match is used, put specific matches first ?", I am really not sure what it should mean :) – libik Apr 05 '15 at 15:42

1 Answers1

1

Roles can be defined by you arbitrarily and permission access set for each role as you like.

The intercept URLs need to be listed from most to least specific, because if you put the least specific one first, like this:

pattern="/foo/bar/**" pattern="/foo/bar/baz*"

when someone navigates to /foo/bar/baz, the permission settings from /foo/bar will get applied, because it is matched first in the list of intercept URLs. This requires more effort on the part of the developer, but it is faster than matching the exact string over every URL in the list. Hope this helps.

kurofune
  • 1,055
  • 12
  • 26
  • Ok, so are you sayng to me that when I do something: it means that the /accounts/edit* resource is accessible from the user if, for this user, the ROLE_ADMIN role is verified. But so it means that "ROLE_ADMIN" is the name of the role? if it is true can you show me an example of how can I define a role? Tnx – AndreaNobili Apr 05 '15 at 16:33
  • 1
    That's correct. The role for the user can be specified in a security-config.xml file and the access limitations added directly to the JSPs. [see example](http://www.concretepage.com/spring/spring-security/how-to-access-roles-and-user-details-using-spring-security) – kurofune Apr 05 '15 at 17:03
  • 1
    There are many other things you can do with spring security and different ways to set up the user roles. [This post](http://stackoverflow.com/questions/6357579/spring-security-with-roles-and-permissions), with a good recommended article and further feedback from the author provides more insight. Good luck! – kurofune Apr 05 '15 at 18:02