5

I'm trying to unsecure the /** pattern, but all my tries are in vain so far.

This is what I'm doing:

<security:intercept-url pattern="/**" filters="none" />

My configuration doesn't contain any more intercept-url definitions.

However after accessing any URL I still get redirected to the default entry point...

I debugged the spring security source and I can actually see the the filters being loaded for the URL I'm trying to access. (FilterChainProxy line: 154, the filters list is full)

Any insight into why this happens and how to unsecure /** would be very appreciated.

I'm using 3.0.5.RELEASE

EDIT:

Security configuration:

 <security:http auto-config="false" use-expressions="true" entry-point-ref="loginUrlAuthenticationEntryPoint">
    <!-- dev --><security:intercept-url pattern="/**" filters="none" />

    <security:custom-filter position="FORM_LOGIN_FILTER" ref="absoluteUrlSsoFilter" />
</security:http>

<security:authentication-manager>
    <security:authentication-provider user-service-ref="ssoDetailsService" />
</security:authentication-manager>

This is the relevant part, I could also give you the bean definitions, but I doubt the problem is there.

Simeon
  • 7,582
  • 15
  • 64
  • 101
  • can you post the full spring security configuration? – matt b Jun 02 '11 at 15:32
  • If you have not already done so, please set the log level to DEBUG and review the log output. There should be a very clear indication when and why you are being redirected to the login page. Please post back with this additional detail and you should be able to get some meaningful responses. – Peter Mularien Jun 02 '11 at 16:47
  • @Peter I have, yes and the debug log said something similar to "candidate is: '/resource.html', pattern is: '/**', matched: true" after which it prints the filter chain its going to execute. I will post the exact log tomorrow as I don't have it currently. Actually the log should say "candidate is: '/resource.html', pattern is: '/**', matched: true" and then "/** has an empty filter list" as it does for all patterns other than /** – Simeon Jun 02 '11 at 17:02
  • Just curious if you ever got this resolved? – Peter Mularien Jun 24 '11 at 15:06
  • @Peter well turns out `filters="none"` on /** doesn't work on 3.0, it will be possible in 3.1 because of the multiple elements. Here is more info http://forum.springsource.org/showthread.php?110156-Why-can-t-I-unsecure-**-URL-pattern-with-filters-quot-none-quot, and here is some more https://jira.springsource.org/browse/SEC-1758, in any case you don't need this to work because you can use IS_AUTHENTICATED_ANONYMOUSLY – Simeon Jun 24 '11 at 21:52

2 Answers2

2

at least in grails, you could set the security setting to IS_AUTHENTICATED_ANONYMOUSLY. Since the grails spring security plugin is based on spring security, I bet this would work.

no need to play with filters or anything.

hvgotcodes
  • 118,147
  • 33
  • 203
  • 236
  • Will try it, but if this works and filters="none" doesn't this looks like a bug. I mean if a say filters="none" it should not load any filters for the matched URL right ? – Simeon Jun 02 '11 at 14:58
  • 1
    @simeon there is an example here http://ikennaokpala.wordpress.com/2010/05/21/configuring-spring-security/ – hvgotcodes Jun 02 '11 at 15:03
  • works, but still I wander why filters="none" doesn't. This looks like a bug. – Simeon Jun 02 '11 at 15:14
  • @simeon, make sure you put that last in your definitions, or else your entire site will be authenticated anonymously. spring security uses the first url mapping that matches, so put the most detailed mappings first. – hvgotcodes Jun 02 '11 at 15:22
  • Yes, actually spring warns you if you have intercept-url definitions after the /** pattern. – Simeon Jun 02 '11 at 15:23
  • I was wrong sorry .... doesn't work ... I still get redirected. – Simeon Jun 02 '11 at 15:25
  • @simeon, my guess is you are somehow hitting a url that is being picked up by another definition, or you are not redirecting where you think you are. turn up the logging and use your debugger to step through the authentication steps – hvgotcodes Jun 02 '11 at 15:27
  • My configuration doesn't contain any more intercept-url definitions. Only and I still get redirected. – Simeon Jun 02 '11 at 15:29
  • turns out that IS_AUTHENTICATED_ANONYMOUSLY doesn't work because of my bean configuration error, so your initially suggested way to do it is the right one :) – Simeon Jun 06 '11 at 11:38
0

Why configure Spring Security if You want to turn in off completelly in the first place?

If You wan it off in dev mode why not put it in seperate XML and not load this single file when id dev mode and comment the springSecurityFilterChain in web.xml? (the second one You can do with Maven resource processing).

Or try some dummy entry before the /** matcher:

<security:intercept-url pattern="/dummy" access="IS_AUTHENTICATED_FULLY" />
<security:intercept-url pattern="/**" filters="none" />

Still don't really get the reason why would You need the security fully configured and turned in the same time off?

Roadrunner
  • 6,661
  • 1
  • 29
  • 38
  • The configuration I posted is the result configuration after removing all other intercept-url definitions. I don't want to turn it off completely and I don't know where you got that idea from :) I do however want the larger part of my application to be unsecure and I want to add secure URLs explicitly, since they are much fewer than the secured ones. Securing /** and adding unsecured URLs explicitly would lead to a MUCH larger security-config. – Simeon Jun 03 '11 at 10:56
  • I don't see how adding will help me understand why doesn't work. – Simeon Jun 03 '11 at 11:00