1

I have this case in my project:

Imagine we have these two lines to define Spring Security access rules:

<intercept-url pattern="/xxx/*" access="isAuthenticated() and (hasRole('roleA') or hasRole('roleB'))" /> 
<intercept-url pattern="/xxx/yyy*" access="isAuthenticated() and (hasRole('role1') or hasRole('role2'))" />

These two patterns are nested, and an user may have a combination of roles like "roleA" and "role1", or "roleA" and "role2". What I want to achieve, is make users have "roleC" and "role1" cannot access to /xxx/yyy*.

So my question is:

When user with "roleC" and "role1" wants to get access with pattern "xxx/yyy222.html", will all lines of access rule be checked, or only the second line is checked? When considering the access rules for the second line, can I take it for granted that user can get into the url "xxx/yyy*" have only "roleA" and "roleB", or must I put complete rules for each single lines of rule?

Cœur
  • 37,241
  • 25
  • 195
  • 267
WesternGun
  • 11,303
  • 6
  • 88
  • 157

1 Answers1

0

The intercept-urls are processed in the order they are defined, the first with a pattern that matches the request path decides the access.

When user with "roleC" and "role1" wants to get access with pattern "xxx/yyy222.html", will all lines of access rule be checked, or only the second line is checked?

This matches the pattern of the first line and access will be denied.

When considering the access rules for the second line, can I take it for granted that user can get into the url "xxx/yyy*" have only "roleA" and "roleB", or must I put complete rules for each single lines of rule?

The second line will never be evaluated. Be sure to specify more specific pattern first.

What I want to achieve, is make users have "roleC" and "role1" cannot access to /xxx/yyy*.

Maybe you want something like:

<intercept-url pattern="/xxx/yyy*" access="isAuthenticated() and !(hasRole('roleC') and hasRole('role1'))" />
holmis83
  • 15,922
  • 5
  • 82
  • 83