GPSPRINGSECURITYCORE-30: InterceptUrlMapFilterInvocationDefinition and a minor difference in request URLs - Tomcat vs. Weblogic

[graemerocher]

Original Reporter: daniel_henrique
Environment: Not Specified
Version: Not Specified
Migrated From: http://jira.grails.org/browse/GPSPRINGSECURITYCORE-30

When requesting http(s)://host/mywebapp/, InterceptUrlMapFilterInvocationDefinition.determineUrl() produce different results for Tomcat and Weblogic. This behavior can be observed using a custom InterceptUrlMapFilterInvocationDefinition:

@Override
protected String determineUrl(final FilterInvocation filterInvocation) {
   HttpServletRequest request = filterInvocation.getHttpRequest();
   String requestUrl = request.getRequestURI().substring(request.getContextPath().length());
   String targetUrl = lowercaseAndStripQuerystring(requestUrl);

   String targetUrl2 = request.getServletPath();
   if (getUrlMatcher().requiresLowerCaseUrl()) {
      targetUrl2 = targetUrl2.toLowerCase();
   }

   if (log.isDebugEnabled()) {
      log.debug("targetUrl = " + targetUrl);
      log.debug("targetUrl2 = " + targetUrl2);
   }

   return targetUrl2;
}

targetUrl will be '/' under Tomcat
targetUrl will be '/index.jsp' under Weblogic

But targetUrl2 will be '/index.jsp' under both.

Another observation, related to the original poster issue is: Despite Ant pattern set usage (http://ant.apache.org/manual/Types/patternset.html), all patterns used in interceptUrlMap should start with '/', even for extension mapping. '/*.jsp' won't work, but '//*.jsp' will do.

http://grails.1312388.n4.nabble.com/Spring-security-core-Weblogic-vs-Tomcat-td3357411.html

The logs generated by the test application:

== Tomcat ==

2011-03-16 10:20:21,544 [http-8080-1] DEBUG myapp.InterceptUrlMapFilterInvocationDefinition  - targetUrl = /
2011-03-16 10:20:21,544 [http-8080-1] DEBUG myapp.InterceptUrlMapFilterInvocationDefinition  - targetUrl2 = /index.jsp
2011-03-16 10:20:21,559 [http-8080-1] DEBUG intercept.FilterSecurityInterceptor  - Secure object: FilterInvocation: URL: /index.jsp; Attributes: [ROLE_admin]

2011-03-16 10:20:21,591 [http-8080-1] DEBUG myapp.InterceptUrlMapFilterInvocationDefinition  - targetUrl = /login/auth
2011-03-16 10:20:21,591 [http-8080-1] DEBUG myapp.InterceptUrlMapFilterInvocationDefinition  - targetUrl2 = /login/auth
2011-03-16 10:20:21,591 [http-8080-1] DEBUG intercept.FilterSecurityInterceptor  - Secure object: FilterInvocation: URL: /login/auth; Attributes: [IS_AUTHENTICATED_ANONYMOUSLY]

2011-03-16 10:56:01,550 [http-8080-1] DEBUG myapp.InterceptUrlMapFilterInvocationDefinition  - targetUrl = /css/main.css
2011-03-16 10:56:01,550 [http-8080-1] DEBUG myapp.InterceptUrlMapFilterInvocationDefinition  - targetUrl2 = /css/main.css
2011-03-16 10:56:01,550 [http-8080-1] DEBUG intercept.FilterSecurityInterceptor  - Secure object: FilterInvocation: URL: /css/main.css?a=x&b=y; Attributes: [IS_AUTHENTICATED_ANONYMOUSLY]

== Weblogic ==

2011-03-16 10:30:59,190 19282 DEBUG myapp.InterceptUrlMapFilterInvocationDefinition  - targetUrl = /index.jsp
2011-03-16 10:30:59,190 [[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'] DEBUG myapp.InterceptUrlMapFilterInvocationDefinition  - targetUrl = /index.jsp
2011-03-16 10:30:59,190 19282 DEBUG myapp.InterceptUrlMapFilterInvocationDefinition  - targetUrl2 = /index.jsp
2011-03-16 10:30:59,190 [[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'] DEBUG myapp.InterceptUrlMapFilterInvocationDefinition  - targetUrl2 = /index.jsp
2011-03-16 10:30:59,221 19313 DEBUG org.springframework.security.web.access.intercept.FilterSecurityInterceptor  - Secure object: FilterInvocation: URL: /index.jsp; Attributes: [ROLE_admin]
2011-03-16 10:30:59,221 [[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'] DEBUG intercept.FilterSecurityInterceptor  - Secure object: FilterInvocation: URL: /index.jsp; Attributes: [ROLE_admin]

2011-03-16 10:30:59,346 19438 DEBUG myapp.InterceptUrlMapFilterInvocationDefinition  - targetUrl = /login/auth
2011-03-16 10:30:59,346 [[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'] DEBUG myapp.InterceptUrlMapFilterInvocationDefinition  - targetUrl = /login/auth
2011-03-16 10:30:59,346 19438 DEBUG myapp.InterceptUrlMapFilterInvocationDefinition  - targetUrl2 = /login/auth
2011-03-16 10:30:59,346 [[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'] DEBUG myapp.InterceptUrlMapFilterInvocationDefinition  - targetUrl2 = /login/auth
2011-03-16 10:30:59,346 19438 DEBUG org.springframework.security.web.access.intercept.FilterSecurityInterceptor  - Secure object: FilterInvocation: URL: /login/auth; Attributes: [IS_AUTHENTICATED_ANONYMOUSLY]
2011-03-16 10:30:59,346 [[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'] DEBUG intercept.FilterSecurityInterceptor  - Secure object: FilterInvocation: URL: /login/auth; Attributes: [IS_AUTHENTICATED_ANONYMOUSLY]

2011-03-16 10:56:14,472 1534564 DEBUG myapp.InterceptUrlMapFilterInvocationDefinition  - targetUrl = /css/main.css
2011-03-16 10:56:14,472 [[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'] DEBUG myapp.InterceptUrlMapFilterInvocationDefinition  - targetUrl = /css/main.css
2011-03-16 10:56:14,472 1534564 DEBUG myapp.InterceptUrlMapFilterInvocationDefinition  - targetUrl2 = /css/main.css
2011-03-16 10:56:14,472 [[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'] DEBUG myapp.InterceptUrlMapFilterInvocationDefinition  - targetUrl2 = /css/main.css
2011-03-16 10:56:14,472 1534564 DEBUG org.springframework.security.web.access.intercept.FilterSecurityInterceptor  - Secure object: FilterInvocation: URL: /css/main.css?a=x&b=y; Attributes: [IS_AUTHENTICATED_ANONYMOUSLY]
2011-03-16 10:56:14,472 [[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'] DEBUG intercept.FilterSecurityInterceptor  - Secure object: FilterInvocation: URL: /css/main.css?a=x&b=y; Attributes: [IS_AUTHENTICATED_ANONYMOUSLY]