I'm using spring 3.1.1 and spring security 3.1.0. I'd like to enforce a policy that all http requests that are not explicitly configured with an <intercept-url pattern="..." access="..."/>
entry are handled in a particular way. For requests that match a configured <intercept-url/>
I want to use typical role based access decisions. However, for non-matching requests, I want to either respond with a 404 (not found) (or maybe 403/forbidden). I want to do this so that I and other team members are forced to explicitly configure spring security and associated roles for any new endpoints.
I originally thought that I could use <intercept-url pattern="/**" access="denyAll"/>
as the last intercept-url
and that spring would do what I wanted. This technique works if the user is already authenticated but is a little strange for unauthenticated/anonymous users. For anonymous users, spring detects (in ExceptionTranslationFilter
) that the user is anonymous and starts the authentication process when requests like /missingResource
are processed. Typically this means that the user is redirected to a login form and, after logging in, is redirected back to /missingResource
. So the user has to login in order to see a 404 (not found) page.
I ended up removing the intercept-url pattern="/**" access="denyAll"/>
and writing a custom filter that runs after="FILTER_SECURITY_INTERCEPTOR"
and responds with 404 for requests that are not matched by the FilterSecurityInterceptor
but it seemed a little complicated. Is there a better or simpler way?