Understanding Acegi’s FilterSecurityInterceptor and URL matching

The ‘CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON’ parameter to FilterSecurityInterceptor means exactly that – URLs are converted to lower case for comparison with the patterns that you define.

If you use CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON, then make sure all the URL patterns you specify are also in lower case, otherwise you will never get a match. This seems obvious, but it took me several hours of trial and error before I spotted what was not working in my configuration.

For example, take this snippet of configuration:

<code>
    &lt;bean id="filterInvocationInterceptor" class="org.acegisecurity.intercept.web.FilterSecurityInterceptor"&gt;
        &lt;property name="authenticationManager"&gt;
        &lt;ref bean="authenticationManager"/&gt;&lt;/property&gt;
        &lt;property name="accessDecisionManager"&gt;
        &lt;ref bean="accessDecisionManager"/&gt;&lt;/property&gt;
        &lt;property name="objectDefinitionSource"&gt;
            &lt;value&gt;
                CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
                PATTERN_TYPE_APACHE_ANT
                /acegilogin.jsp*=ROLE_ANONYMOUS, ROLE_ADMIN
                /=ROLE_ANONYMOUS, ROLE_ADMIN
                /index.jsp=ROLE_ANONYMOUS, ROLE_ADMIN

                /item/show/**=ROLE_ANONYMOUS, ROLE_ADMIN
                /item/list/**=ROLE_ANONYMOUS, ROLE_ADMIN
                /item/doSomeOtherThing=ROLE_ANONYMOUS, ROLE_ADMIN
                ...
    &lt;/bean&gt;
</code>

The URL ‘/item/doSomeOtherThing’ is never going to be matched, since the incoming URLs for comparison are converted to lowercase by the CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON instruction.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.