Spring Security Allows Unauthorized User Access to Restricted URL from a Forward

Question

Spring Security 3.2.0.RC2

Given:

@Override
protected void configure(HttpSecurity httpSecurity) throws Exception {
    httpSecurity
        .authorize         


        

Answer 1

@kungfuters is correct that the first step is ensuring the Filter is intercepting that request in the first place. To do so with a web.xml you would use the following:

    springSecurityFilterChain
    org.springframework.web.filter.DelegatingFilterProxy



    springSecurityFilterChain
    /*
    FORWARD 
    REQUEST

To do so with Java Configuration you would use the following:

public class SecurityWebApplicationInitializer extends AbstractSecurityWebApplicationInitializer {

    protected  EnumSet getSecurityDispatcherTypes() {
        return return EnumSet.of(DispatcherType.REQUEST, DispatcherType.ERROR, DispatcherType.ASYNC, DispatcherType.FORWARD);
    }

}

The last piece is that the FilterSecurityInterceptor (the piece that ensures URLs are protected) by default will only intercept the REQUEST and not additional dispatches (i.e. forwards). This is done because it is quite rare to protect the URLs that are forwarded to (typically you would protect the URL that does the forwarding). To enable that you need to use the following with xml configuration you need to use http@once-per-request=true:

Similarly, there is a oncePerRequest property within Java Configuration that can be used. For example:

@Override
protected void configure(HttpSecurity httpSecurity) throws Exception {
    httpSecurity
        .authorizeRequests()
            .filterSecurityInterceptorOncePerRequest(false)
            // make sure to grant access to any login page you are forwarding to
            .antMatchers("/restricted/login").permitAll()
            .antMatchers("/restricted/**").hasRole("admin")
            .anyRequest().authenticated()
            .and()
        .formLogin()
            .permitAll()
        // etc
        ;
}