Spring security issue with 404 error?

Question

greetings all, i am using spring security 3.0.2, urlRewrite 3.1.0 , and i have a problem with spring security that i have a rule that all the pages in the app requires authe

Answer 1

Yep just add this:

<intercept-url pattern="/error/**" access="permitAll" />

That will make it so that anyone can get to all your error pages.

Answer 2

Add /error to your list of <intercept-url/> elements so that it doesn't require authentication in order to access it.

Answer 3

You have said:

i want that if the user typed a bad url if he's logged in or not, he's redirected to the error page directly

Spring security will intercept every request before it knows whether its url is valid or not, so a way to get it would be intercept all valid urls with some patterns, and add at the end a general pattern which could be accessed by anyone.

<intercept-url pattern="/" access="permitAll" />
<intercept-url pattern="/validUrl1Pattern"  access="permitAll" />  
<intercept-url pattern="/validUrl2Pattern"  access="permitAll" />  
<intercept-url pattern="/validUrl2Pattern"  access="permitAll" />  
...
<intercept-url pattern="/**" access="ROLE_ANONYMOUS" />

The problem of this configuration is that is probably difficult to find patterns for all the valid urls if your application is complex.

Answer 4

when you set the attribute access="true", you tell spring-security to check if the user has the security attribute (which is normally a role) named "true" . I don't think that is your goal?

to bypass security, you may set filters="none" and skip the access attribute: <intercept-url pattern="/errorpage" filters="none" />

see documentation of <intercept-url>