Spring-security cannot match “?parameter” format?

Question

I use spring-security to secure my web, when I\'m learning it by spring-roo generated config file in applicationContext-security.xml, in node:

Answer 1

That behavior is defined by the "request-matcher" in use. As indicated by the documentation, the default is "ant", which indicates to use an AntPathRequestMatcher, and an alternative is "regex", the RegexRequestMatcher. The javadocs (linked) give specifics about the matchers, including the fact that the former matches against a request's "servletPath + pathInfo", and the latter against its "servletPath + pathInfo + queryString".

Answer 2

By default spring security uses ant style matching, which can't match on parameters. Regex matching, however, can match on parameters

Try defining it like so:

<http request-matcher="regex">
  <security:intercept-url pattern="\A/userses\?form.*\Z" access="hasRole('ROLE_ADMIN')" />
</http>

Don't know why Roo doesn't do this automatically. Seems like it should.