Databases
StackOverflow2013
Postsdbo
POSpring Security, trailing slashes, and dots in URLs
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. POSpring Security, trailing slashes, and dots in URLs
    text
    copied!<p>I use Spring Security 3.1.4 to secure a Spring MVC 3.2.4 application deployed to Tomcat. I have the following Spring Security configuration:</p> <pre class="lang-xml prettyprint-override"><code>&lt;http auto-config="true" use-expressions="true"&gt; &lt;http-basic /&gt; &lt;logout ... /&gt; &lt;form-login ... /&gt; &lt;intercept-url pattern="/" access="isAnonymous() or hasRole('ROLE_USER')" /&gt; &lt;intercept-url pattern="/about" access="isAnonymous() or hasRole('ROLE_USER')" /&gt; &lt;intercept-url pattern="/login" access="isAnonymous() or hasRole('ROLE_USER')" /&gt; &lt;intercept-url pattern="/under-construction" access="isAnonymous() or hasRole('ROLE_USER')" /&gt; &lt;intercept-url pattern="/admin-task*" access="hasRole('ROLE_USER') and hasRole('ROLE_ADMINISTRATOR')" /&gt; &lt;intercept-url pattern="/resources/**" access="isAnonymous() or hasRole('ROLE_USER')" /&gt; &lt;intercept-url pattern="/**" access="hasRole('ROLE_USER')" /&gt; &lt;/http&gt; </code></pre> <p>I noticed that URL patterns without a trailing slash (e.g., <code>/about</code>) do not match URLs with a trailing slash (e.g., <code>/about/</code>) and vice-versa. In other words, a URL with a slash and an identical URL without a slash are treated as two different URLs by Spring Security. The problem could be fixed by using two security rules:</p> <pre class="lang-xml prettyprint-override"><code>&lt;intercept-url pattern="/about" access="isAnonymous() or hasRole('ROLE_USER')" /&gt; &lt;intercept-url pattern="/about/" access="isAnonymous() or hasRole('ROLE_USER')" /&gt; </code></pre> <p>Is there a better solution?</p> <p>I know that <code>path-type="regex"</code> allows to define URL patterns with regular expressions, but I would like to avoid any unnecessary complexity if it's possible.</p> <p><strong>Update</strong></p> <p>As Adam Gent noted, there is an additional problem that involves URLs with a dot: <code>/about.foo</code> and <code>/about</code> are treated as the same URL by Spring MVC. However, Spring Security treats them as two different URLs. So, one more security rule may be necessary:</p> <pre class="lang-xml prettyprint-override"><code>&lt;intercept-url pattern="/about.*" .../&gt; </code></pre>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload