Spring-security cannot match "?parameter" format?
I use spring-security to secure my web, when I'm learning it by spring-roo generated config file in applicationContext-security.xml, in <http> node:
<intercept-url pattern="/userses?form" access="hasRole('ROLE_ADMIN')" />
It means when you want to create a Users object, firstly you need to login to get ADMIN permission. But actually it didn't work. Check the log:
2012-05-06 11:39:11,250 [http-8088-7] DEBUG org.springframework.security.web.util.AntPathRequestMatcher - Checking match of request : '/userses'; against '/userses?form'
The framework use the /userses instead of /userses?form to compare with, authentication process skipped as string didn't match. To verify this I also try another url:
<intercept-url pattern="/userses/abc" access="hasRole('ROLE_ADMIN')" />
I requested the /userses/abc, it detected user is not authorized, and moved to /login page, checked the log:
2012-05-06 11:46:44,343 [http-8088-7] DEBUG org.springframework.security.web.util.AntPathRequestMatcher - Checking match of request : '/uesrses/abc'; against '/userses/abc'
So my question is: Doesn't spring-secure 3 support "?parameter" pattern or I missed something to config to support this? PS: All the code is generated by roo without modification, also wonder why it doesn't work.
Answer
By default spring security uses ant style matching, which can't match on parameters. Regex matching, however, can match on parameters
Try defining it like so:
<http request-matcher="regex">
<security:intercept-url pattern="\A/userses\?form.*\Z" access="hasRole('ROLE_ADMIN')" />
</http>
Don't know why Roo doesn't do this automatically. Seems like it should.