java - Page not found 404 on unauthorized URL when page not exists -
i have following setup of spring security default deny (see example below). don't want change default deny because it's defensive way of security configuration , it's considered practice. if user want access page doesn't exist gets 403 because default deny strategy. want result 404 when page not exists , 403 when user have restricted access. there way configure spring security behavior?
example :
<intercept-url pattern="/posts/remove" access="hasrole('admin')" /> <intercept-url pattern="/posts/add" access="hasrole('editor')" /> <intercept-url pattern="/posts" access="permitall" /> <intercept-url pattern="/" access="permitall" /> <!-- default access denied --> <intercept-url pattern="/**" access="denyall" /> </http>
when user requests /something-that-not-exists
should 404 (not 403). when editor user requests /posts/remove
should 403.
i'm not sure if such configuration possible, security filters intercept , process request @ earlier stage before url mapping logic of webapp chance determine if there resource respond particular request.
if security filter decides deny access matching request url, never turn out if there page behind url @ all.
edit (response michal's comment):
since mapping of urls resources/handlers pretty arbitrary in every application, no framework possibly provide algorithm applicable every webapp , determine outcome of mapping process in advance.
if can implement such logic your webapp (e.g. knowing entire url space), create filter suggested. if happen use spring mvc, calling gethandler()
on every handlermapping
deployed in application implementing such filter.
anyway, guess providing kind of facility cannot in scope security library meant independent , capable of working wide range of different web frameworks.
Comments
Post a Comment