Spring-security cannot match “?parameter” format?

Question

I use spring-security to secure my web, when I'm learning it by spring-roo generated config file in applicationContext-security.xml, in <http> node:

 <intercept-url pattern="/userses?form" access="hasRole('ROLE_ADMIN')" />

It means when you want to create a Users object, firstly you need to login to get ADMIN permission. But actually it didn't work. Check the log:

2012-05-06 11:39:11,250 [http-8088-7] DEBUG org.springframework.security.web.util.AntPathRequestMatcher - Checking match of request : '/userses'; against '/userses?form'

The framework use the /userses instead of /userses?form to compare with, authentication process skipped as string didn't match. To verify this I also try another url:

<intercept-url pattern="/userses/abc" access="hasRole('ROLE_ADMIN')" />

I requested the /userses/abc, it detected user is not authorized, and moved to /login page, checked the log:

2012-05-06 11:46:44,343 [http-8088-7] DEBUG org.springframework.security.web.util.AntPathRequestMatcher - Checking match of request : '/uesrses/abc'; against '/userses/abc'

So my question is: Doesn't spring-secure 3 support "?parameter" pattern or I missed something to config to support this? PS: All the code is generated by roo without modification, also wonder why it doesn't work.

Answer 1

By default spring security uses ant style matching, which can't match on parameters. Regex matching, however, can match on parameters

Try defining it like so:

<http request-matcher="regex">
  <security:intercept-url pattern="\A/userses\?form.*\Z" access="hasRole('ROLE_ADMIN')" />
</http>

Don't know why Roo doesn't do this automatically. Seems like it should.

Answer 2

That behavior is defined by the "request-matcher" in use. As indicated by the documentation, the default is "ant", which indicates to use an AntPathRequestMatcher, and an alternative is "regex", the RegexRequestMatcher. The javadocs (linked) give specifics about the matchers, including the fact that the former matches against a request's "servletPath + pathInfo", and the latter against its "servletPath + pathInfo + queryString".