Spring Security Allows Unauthorized User Access to Restricted URL from a Forward

Question

Spring Security 3.2.0.RC2

Given:

@Override
protected void configure(HttpSecurity httpSecurity) throws Exception {
    httpSecurity
        .authorize         


        

Answer 1

If you are using web.xml to configure your filter, try this:

    springSecurityFilterChain
    org.springframework.web.filter.DelegatingFilterProxy



    springSecurityFilterChain
    /*
    FORWARD 
    REQUEST

...or use the Servlet3 Java-based Config equivalent, which is to extend AbstractSecurityWebApplicationInitializer and override the getSecurityDispatcherTypes() method:

public class YourSecurityWebApplicationInitializer extends AbstractSecurityWebApplicationInitializer {

    protected  EnumSet getSecurityDispatcherTypes() {
        // Return dispatcher types here, in your case you'll want the defaults, 
        // which are DispatcherType.REQUEST and DispatcherType.ERROR
        // ...as well as the one you need for your use case: DispatcherType.FORWARD
    }

}

I typed that here, so hopefully there are no errors. Should get you going, though.