Configuring Spring Security for finer grained url pattern matching with a Spring Roo app

By default, after you’ve added Spring Security to your Roo app with ‘security setup’, you get an example config in a applicationContext-security.xml file like this:

    <http auto-config="true" use-expressions="true">
    	<form-login login-processing-url="/resources/j_spring_security_check" login-page="/login" authentication-failure-url="/login?login_error=t"/>
        <logout logout-url="/resources/j_spring_security_logout"/>

        <!-- Configure these elements to secure URIs in your application -->
        <intercept-url pattern="/choices/**" access="hasRole('ROLE_ADMIN')"/>
        <intercept-url pattern="/member/**" access="isAuthenticated()" />
        <intercept-url pattern="/resources/**" access="permitAll" />
        <intercept-url pattern="/**" access="permitAll" />
    </http>

The default pattern matching approach is to use Ant style path matching. If you need to be more specific for what URLs you need to define security against, then you can change to use regex style pattern matching by adding this attribute to the <http> element:

<http ... path-type="regex" ... >

Now, let’s say you need to have different roles for creating verses listing member records – Spring Roo uses a couple of GET parameters to distinguish between these actions, so using regex you can match on these like this:

        <intercept-url pattern="/member?form" access="hasRole('ROLE_ADMIN')" />
        <intercept-url pattern="/member?page.*" access="hasRole('ROLE_USER')" />

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.