Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SEC-1503: HTTP request 'method' attribute of intercept-url does not appear to be respected #1747

Closed
spring-issuemaster opened this issue Jun 22, 2010 · 2 comments

Comments

@spring-issuemaster
Copy link

@spring-issuemaster spring-issuemaster commented Jun 22, 2010

Keith Donald (Migrated from SEC-1503) said:

I'm attempting to have the following:

  • GET /signin -- login-page
  • POST /signin - login-proessing-url

To do this I tried the following config:

<http use-expressions="true">
<!-- Authentication policy -->
<form-login login-page="/signin" login-processing-url="/signin" authentication-failure-handler-ref="authenticationFailureHandler" />
<logout logout-url="/signout" />
<!-- Authorization policy -->
<intercept-url pattern="/" access="permitAll" />
<intercept-url pattern="/signup" access="permitAll" />
<intercept-url pattern="/signin" filters="none" method="GET" />
<intercept-url pattern="/signin" access="permitAll" method="POST" />
<intercept-url pattern="/resources/**" access="permitAll" />
<intercept-url pattern="/**" access="isAuthenticated()" />
</http>

Unfortunately, when i POST to /signin, the 'filters="none"' rule seems to be enforced (which I tried to only set on GET /signin). As a result, the filter never picks up my authentication request.

@spring-issuemaster

This comment has been minimized.

Copy link
Author

@spring-issuemaster spring-issuemaster commented Jun 22, 2010

Keith Donald said:

I was able to workaround this problem by making "/signin/authenticate" the login-processing URL and POSTing to it.

@spring-issuemaster

This comment has been minimized.

Copy link
Author

@spring-issuemaster spring-issuemaster commented Jun 22, 2010

Luke Taylor said:

The "method" attribute only applies to the access constraint. Using filters="none" will bypass Spring Security entirely. An alternative is to use the "IS_AUTHENTICATED_ANONYMOUSLY" access attribute to specify that anonymous access is allowed.

This situation will no longer exist in 3.1, as the "filters" attribute is no longer supported, as a result of the work on SEC-1171.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
1 participant
You can’t perform that action at this time.