How to exclude one url from authorization when using Spring MVC

Question

I am using Spring MVC 4.1.6 to write a web app running on Tomcat 6.0.43 using java 6.45. I am using form based authentication, and I want all pages to be secure except for the login page and the resources folder, which contains images, etc. I have already read the answer to How to exclude one url from authorization but it does not work for me. I get an error message in my browser "HTTP Status 403 - Access to the requested resource has been denied." I have spent hours trying to figure this out without any success. If anyone has any ideas, they would be greatly appreciated. Shown below is the relevant part of the web.xml.

  <!-- specify which resources are restricted for users -->
  <security-constraint>
     <web-resource-collection>
        <web-resource-name>User</web-resource-name>
        <url-pattern>/*</url-pattern>
     </web-resource-collection>
     <auth-constraint><role-name>user</role-name></auth-constraint>
  </security-constraint>

  <!-- specify which resources are not restricted -->
  <security-constraint>
     <web-resource-collection>
        <web-resource-name>Login</web-resource-name>
        <url-pattern>/login</url-pattern>
        <url-pattern>/resources/*</url-pattern>
     </web-resource-collection>
     <!-- no auth-constraint -->
  </security-constraint>


  <!-- specify all the roles defined for this web app -->
  <security-role><role-name>admin</role-name></security-role>
  <security-role><role-name>user</role-name> </security-role>


  <!-- specify how the user will be authenticatated -->
  <form-login-config>
     <auth-method>FORM</auth-method>
     <form-login-page>/login</form-login-page>
     <form-error-page>/login</form-error-page>
  </form-login-config>

And finally, here is the folder structure of my web app as it is deployed in the tomcat server.

I'm not familiar with that style of security configuration, but try putting your "no auth-constraint" stanza first; security rules are often applied based on the first match found. — chrylis -cautiouslyoptimistic-, Sep 07 '15 at 21:43

score 0 · Answer 1 · answered Sep 08 '15 at 13:30

It turns out there was an error in the web.xml that the tomcat server was not complaining about. Once I fixed the error, then the http 403 error went away. Here is the correct web.xml .

      <!-- specify which resources are restricted for users -->
  <security-constraint>
     <web-resource-collection>
        <web-resource-name>protected resources</web-resource-name>
        <url-pattern>/*</url-pattern>
     </web-resource-collection>
     <auth-constraint><role-name>user</role-name></auth-constraint>
  </security-constraint>

  <!-- specify which resources are not restricted -->
  <security-constraint>
     <web-resource-collection>
        <web-resource-name>unrestricted resources</web-resource-name>
        <url-pattern>/login</url-pattern>
        <url-pattern>/resources/*</url-pattern>
     </web-resource-collection>
     <!-- no auth-constraint -->
  </security-constraint>


  <!-- specify all the roles defined for this web app -->
  <security-role><role-name>admin</role-name></security-role>
  <security-role><role-name>user</role-name> </security-role>


  <!-- specify how the user will be authenticatated -->
  <login-config>
     <auth-method>FORM</auth-method>
     <realm-name>default</realm-name>
     <form-login-config>
        <form-login-page>/login</form-login-page>
        <form-error-page>/login</form-error-page>
     </form-login-config>
  </login-config>

How to exclude one url from authorization when using Spring MVC

1 Answers1