Path Variables in Web Security Expressions and set /users/{userId:\d+}











up vote
0
down vote

favorite












spring security 4.1.3.RELEASE intercept-url request-matcher="mvc"

I try to use spring-security.xml to config my web security with request-matche="mvc", but the pattern "/users/{userId:id}" dosen't work.



My config just look like the following code:



<http entry-point-ref="myAuthenticationEntryPoint" auto-config="true" use-expressions="true" create-session="stateless" request-matcher="mvc" 
access-decision-manager-ref="myAccessDecisionManager">
<intercept-url pattern="/users/{userId:\d+}" method="GET" access="@webSecurity.isMe(authentication, #userId) or hasAnyRole('ADMIN')"/>
<intercept-url pattern="/users/management" method="GET" access="hasAnyRole('ADMIN')"/>
</http>


I expecte that the request for /users/12345 will match the pattern /users/{userId:d+} which will match 12345 to the userId, and the request for /users/management will match the pattern /users/management. However, in fact, the pattern /users/{userId:d+} dosen't work, it never match the request /users/12345. and if I change the setting to the following code:



<http entry-point-ref="myAuthenticationEntryPoint" auto-config="true" use-expressions="true" create-session="stateless" request-matcher="mvc" 
access-decision-manager-ref="myAccessDecisionManager">
<intercept-url pattern="/users/{userId}" method="GET" access="@webSecurity.isMe(authentication, #userId) or hasAnyRole('ADMIN')"/>
<intercept-url pattern="/users/management" method="GET" access="hasAnyRole('ADMIN')"/>
</http>


Remove the :d+ from /users/{userId:d+}, it will match the request for /users/12345. But it will match the request for /users/management as well, which makes the value of userId equals to unexpected "management". I have try ant-matcher and regex-matcher, and I can't find the userId in a perfect solution.










share|improve this question


























    up vote
    0
    down vote

    favorite












    spring security 4.1.3.RELEASE intercept-url request-matcher="mvc"

    I try to use spring-security.xml to config my web security with request-matche="mvc", but the pattern "/users/{userId:id}" dosen't work.



    My config just look like the following code:



    <http entry-point-ref="myAuthenticationEntryPoint" auto-config="true" use-expressions="true" create-session="stateless" request-matcher="mvc" 
    access-decision-manager-ref="myAccessDecisionManager">
    <intercept-url pattern="/users/{userId:\d+}" method="GET" access="@webSecurity.isMe(authentication, #userId) or hasAnyRole('ADMIN')"/>
    <intercept-url pattern="/users/management" method="GET" access="hasAnyRole('ADMIN')"/>
    </http>


    I expecte that the request for /users/12345 will match the pattern /users/{userId:d+} which will match 12345 to the userId, and the request for /users/management will match the pattern /users/management. However, in fact, the pattern /users/{userId:d+} dosen't work, it never match the request /users/12345. and if I change the setting to the following code:



    <http entry-point-ref="myAuthenticationEntryPoint" auto-config="true" use-expressions="true" create-session="stateless" request-matcher="mvc" 
    access-decision-manager-ref="myAccessDecisionManager">
    <intercept-url pattern="/users/{userId}" method="GET" access="@webSecurity.isMe(authentication, #userId) or hasAnyRole('ADMIN')"/>
    <intercept-url pattern="/users/management" method="GET" access="hasAnyRole('ADMIN')"/>
    </http>


    Remove the :d+ from /users/{userId:d+}, it will match the request for /users/12345. But it will match the request for /users/management as well, which makes the value of userId equals to unexpected "management". I have try ant-matcher and regex-matcher, and I can't find the userId in a perfect solution.










    share|improve this question
























      up vote
      0
      down vote

      favorite









      up vote
      0
      down vote

      favorite











      spring security 4.1.3.RELEASE intercept-url request-matcher="mvc"

      I try to use spring-security.xml to config my web security with request-matche="mvc", but the pattern "/users/{userId:id}" dosen't work.



      My config just look like the following code:



      <http entry-point-ref="myAuthenticationEntryPoint" auto-config="true" use-expressions="true" create-session="stateless" request-matcher="mvc" 
      access-decision-manager-ref="myAccessDecisionManager">
      <intercept-url pattern="/users/{userId:\d+}" method="GET" access="@webSecurity.isMe(authentication, #userId) or hasAnyRole('ADMIN')"/>
      <intercept-url pattern="/users/management" method="GET" access="hasAnyRole('ADMIN')"/>
      </http>


      I expecte that the request for /users/12345 will match the pattern /users/{userId:d+} which will match 12345 to the userId, and the request for /users/management will match the pattern /users/management. However, in fact, the pattern /users/{userId:d+} dosen't work, it never match the request /users/12345. and if I change the setting to the following code:



      <http entry-point-ref="myAuthenticationEntryPoint" auto-config="true" use-expressions="true" create-session="stateless" request-matcher="mvc" 
      access-decision-manager-ref="myAccessDecisionManager">
      <intercept-url pattern="/users/{userId}" method="GET" access="@webSecurity.isMe(authentication, #userId) or hasAnyRole('ADMIN')"/>
      <intercept-url pattern="/users/management" method="GET" access="hasAnyRole('ADMIN')"/>
      </http>


      Remove the :d+ from /users/{userId:d+}, it will match the request for /users/12345. But it will match the request for /users/management as well, which makes the value of userId equals to unexpected "management". I have try ant-matcher and regex-matcher, and I can't find the userId in a perfect solution.










      share|improve this question













      spring security 4.1.3.RELEASE intercept-url request-matcher="mvc"

      I try to use spring-security.xml to config my web security with request-matche="mvc", but the pattern "/users/{userId:id}" dosen't work.



      My config just look like the following code:



      <http entry-point-ref="myAuthenticationEntryPoint" auto-config="true" use-expressions="true" create-session="stateless" request-matcher="mvc" 
      access-decision-manager-ref="myAccessDecisionManager">
      <intercept-url pattern="/users/{userId:\d+}" method="GET" access="@webSecurity.isMe(authentication, #userId) or hasAnyRole('ADMIN')"/>
      <intercept-url pattern="/users/management" method="GET" access="hasAnyRole('ADMIN')"/>
      </http>


      I expecte that the request for /users/12345 will match the pattern /users/{userId:d+} which will match 12345 to the userId, and the request for /users/management will match the pattern /users/management. However, in fact, the pattern /users/{userId:d+} dosen't work, it never match the request /users/12345. and if I change the setting to the following code:



      <http entry-point-ref="myAuthenticationEntryPoint" auto-config="true" use-expressions="true" create-session="stateless" request-matcher="mvc" 
      access-decision-manager-ref="myAccessDecisionManager">
      <intercept-url pattern="/users/{userId}" method="GET" access="@webSecurity.isMe(authentication, #userId) or hasAnyRole('ADMIN')"/>
      <intercept-url pattern="/users/management" method="GET" access="hasAnyRole('ADMIN')"/>
      </http>


      Remove the :d+ from /users/{userId:d+}, it will match the request for /users/12345. But it will match the request for /users/management as well, which makes the value of userId equals to unexpected "management". I have try ant-matcher and regex-matcher, and I can't find the userId in a perfect solution.







      spring-mvc spring-security spring-security-rest






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Nov 5 at 3:28









      DoneSpeak

      63




      63
























          1 Answer
          1






          active

          oldest

          votes

















          up vote
          0
          down vote













          I have solved the problem by myself. It's a stupid mistake. To solve the problem, I just need to replace /users/{userId:\d+} with /users/{userId:d+} or /users/{userId:[0-9]+} and use AntPathMatcher instead of using MvcPathMatcher. Configuring the security with spring-security.xml is defferent with using javaConfig or using annotation. In javaConfig or annotation @RequestMapping, the content in "" is String Object, so we need an annother to escape the d+. But in xml, it's unnecessary. If using \d+ here, spring security will append it to \\d+, which will never match number type string. I find this solution when I set a breakpoint in org.springframework.util.AntPathMatcher.matchStrings(String str, Map<String, String> uriTemplateVariables) and watch the request.






          share|improve this answer





















            Your Answer






            StackExchange.ifUsing("editor", function () {
            StackExchange.using("externalEditor", function () {
            StackExchange.using("snippets", function () {
            StackExchange.snippets.init();
            });
            });
            }, "code-snippets");

            StackExchange.ready(function() {
            var channelOptions = {
            tags: "".split(" "),
            id: "1"
            };
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function() {
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled) {
            StackExchange.using("snippets", function() {
            createEditor();
            });
            }
            else {
            createEditor();
            }
            });

            function createEditor() {
            StackExchange.prepareEditor({
            heartbeatType: 'answer',
            convertImagesToLinks: true,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: 10,
            bindNavPrevention: true,
            postfix: "",
            imageUploader: {
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            },
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            });


            }
            });














             

            draft saved


            draft discarded


















            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53147933%2fpath-variables-in-web-security-expressions-and-set-users-userid-d%23new-answer', 'question_page');
            }
            );

            Post as a guest
































            1 Answer
            1






            active

            oldest

            votes








            1 Answer
            1






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes








            up vote
            0
            down vote













            I have solved the problem by myself. It's a stupid mistake. To solve the problem, I just need to replace /users/{userId:\d+} with /users/{userId:d+} or /users/{userId:[0-9]+} and use AntPathMatcher instead of using MvcPathMatcher. Configuring the security with spring-security.xml is defferent with using javaConfig or using annotation. In javaConfig or annotation @RequestMapping, the content in "" is String Object, so we need an annother to escape the d+. But in xml, it's unnecessary. If using \d+ here, spring security will append it to \\d+, which will never match number type string. I find this solution when I set a breakpoint in org.springframework.util.AntPathMatcher.matchStrings(String str, Map<String, String> uriTemplateVariables) and watch the request.






            share|improve this answer

























              up vote
              0
              down vote













              I have solved the problem by myself. It's a stupid mistake. To solve the problem, I just need to replace /users/{userId:\d+} with /users/{userId:d+} or /users/{userId:[0-9]+} and use AntPathMatcher instead of using MvcPathMatcher. Configuring the security with spring-security.xml is defferent with using javaConfig or using annotation. In javaConfig or annotation @RequestMapping, the content in "" is String Object, so we need an annother to escape the d+. But in xml, it's unnecessary. If using \d+ here, spring security will append it to \\d+, which will never match number type string. I find this solution when I set a breakpoint in org.springframework.util.AntPathMatcher.matchStrings(String str, Map<String, String> uriTemplateVariables) and watch the request.






              share|improve this answer























                up vote
                0
                down vote










                up vote
                0
                down vote









                I have solved the problem by myself. It's a stupid mistake. To solve the problem, I just need to replace /users/{userId:\d+} with /users/{userId:d+} or /users/{userId:[0-9]+} and use AntPathMatcher instead of using MvcPathMatcher. Configuring the security with spring-security.xml is defferent with using javaConfig or using annotation. In javaConfig or annotation @RequestMapping, the content in "" is String Object, so we need an annother to escape the d+. But in xml, it's unnecessary. If using \d+ here, spring security will append it to \\d+, which will never match number type string. I find this solution when I set a breakpoint in org.springframework.util.AntPathMatcher.matchStrings(String str, Map<String, String> uriTemplateVariables) and watch the request.






                share|improve this answer












                I have solved the problem by myself. It's a stupid mistake. To solve the problem, I just need to replace /users/{userId:\d+} with /users/{userId:d+} or /users/{userId:[0-9]+} and use AntPathMatcher instead of using MvcPathMatcher. Configuring the security with spring-security.xml is defferent with using javaConfig or using annotation. In javaConfig or annotation @RequestMapping, the content in "" is String Object, so we need an annother to escape the d+. But in xml, it's unnecessary. If using \d+ here, spring security will append it to \\d+, which will never match number type string. I find this solution when I set a breakpoint in org.springframework.util.AntPathMatcher.matchStrings(String str, Map<String, String> uriTemplateVariables) and watch the request.







                share|improve this answer












                share|improve this answer



                share|improve this answer










                answered Nov 5 at 9:57









                DoneSpeak

                63




                63






























                     

                    draft saved


                    draft discarded



















































                     


                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function () {
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53147933%2fpath-variables-in-web-security-expressions-and-set-users-userid-d%23new-answer', 'question_page');
                    }
                    );

                    Post as a guest




















































































                    這個網誌中的熱門文章

                    Xamarin.form Move up view when keyboard appear

                    Post-Redirect-Get with Spring WebFlux and Thymeleaf

                    Anylogic : not able to use stopDelay()