Alex Khromov (Migrated from SEC-2104) said:
Below are two snippets from my spring-security.xml. The first one is buggy the second one is good. The problem is that I don't see any sensible difference between them and it cost me many hours until I evolved from version 2. to version 1.
1.
<http pattern="/perm1/**" use-expressions="true">
<intercept-url pattern="/perm1/**" access="hasRole ( 'ROLE_REGISTERED' )" />
<form-login />
<logout />
</http>
<http pattern="/**" security="none" />
2.
<http use-expressions="true">
<intercept-url pattern="/perm1/**" access="hasRole ( 'ROLE_REGISTERED' )" />
<intercept-url pattern="/**" access="permitAll" />
<form-login />
<logout />
</http>
The buggy snippet gives with "http://localhost:8080/spring_security_login" following error page: HTTP Status 404 - type Status report message descriptionThe requested resource () is not available.
Comment From: spring-projects-issues
Rob Winch said:
There is a clear difference between the two and is shown in the hierarchy. With
There is a possibility that we can give an error when this is improperly configured but this may change in 3.2 when we allow RequestMatcher's to be injected into the Filters. In that instance it will be quite difficult to detect that the configuration was done improperly. I'm adding to the 3.2 backlog to investigate at that time.
Comment From: jzheaux
Hi, Alex.
The difference is that access="permitAll" and security="none" are not the same thing.
permitAll means only that no authorization rules are applied. All the authentication and web application security defense mechanisms are in place.
security="none" means that Spring Securtiy should not participate in those requests at all. These requests won't get any of the defense mechanisms Spring Security offers, for example.
If you only want Spring Security to be applied to /perm1/**, then the first one is what you want (though this usually is not recommended). If you want Spring Security to be applied to everything, but only /perm1/** requires any kind of authorization, then the second one is what you want.
That said, both setups are not the most secure as it means that only one section of your site is requiring authentication (perhaps this is what you want). I wonder if you can do something more like the following:
<http use-expressions="true">
<intercept-url pattern="/public/**" access="permitAll" />
<intercept-url pattern="/perm1/**" access="hasRole ( 'ROLE_REGISTERED' )" />
<intercept-url pattern="/**" access="authenticated" />
<form-login />
<logout />
</http>
This means that you have a section of your site that does not require any authorization (/public/**), a portion that requires elevated privileges, and the rest requires authentication.
Either way, if you want to learn more or have more questions along these lines, please consider posting a question to StackOverflow. Our team monitors the spring-security tag.