SEC-1503: HTTP request 'method' attribute of intercept-url does not appear to be respected #1747

spring-issuemaster opened this Issue Jun 22, 2010 · 2 comments

1 participant


Keith Donald (Migrated from SEC-1503) said:

I'm attempting to have the following:

  • GET /signin -- login-page
  • POST /signin - login-proessing-url

To do this I tried the following config:

<http use-expressions="true">
<!-- Authentication policy -->
<form-login login-page="/signin" login-processing-url="/signin" authentication-failure-handler-ref="authenticationFailureHandler" />
<logout logout-url="/signout" />
<!-- Authorization policy -->
<intercept-url pattern="/" access="permitAll" />
<intercept-url pattern="/signup" access="permitAll" />
<intercept-url pattern="/signin" filters="none" method="GET" />
<intercept-url pattern="/signin" access="permitAll" method="POST" />
<intercept-url pattern="/resources/**" access="permitAll" />
<intercept-url pattern="/**" access="isAuthenticated()" />

Unfortunately, when i POST to /signin, the 'filters="none"' rule seems to be enforced (which I tried to only set on GET /signin). As a result, the filter never picks up my authentication request.


Keith Donald said:

I was able to workaround this problem by making "/signin/authenticate" the login-processing URL and POSTing to it.


Luke Taylor said:

The "method" attribute only applies to the access constraint. Using filters="none" will bypass Spring Security entirely. An alternative is to use the "IS_AUTHENTICATED_ANONYMOUSLY" access attribute to specify that anonymous access is allowed.

This situation will no longer exist in 3.1, as the "filters" attribute is no longer supported, as a result of the work on SEC-1171.

@spring-issuemaster spring-issuemaster added this to the 3.1.0.M1 milestone Feb 5, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment