Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Configure Spring Security to return 403 for REST URLs and redirect to login for other URLs

Tags:

spring-security

My web application has a bunch "normal" resources (html pages etc) and also some REST resources which are called from JavaScript by the previously mentioned html pages.

If there is a session timeout the user gets redirected to the login form. That's great for the "normal" resources, but not for the REST resources. I'll just need a 403 response there so that the JavaScript can take over and ask the user to reauthenticate.

There are countless examples on the web how to configure each of those, but I could not find an example on how to combine the methods. All my API URLs start with "/api/", so I'll need the 403 for all those URLs and the redirect for all the remaining URLs. How do I set this up?

like image 376
yankee Avatar asked May 19 '14 13:05

yankee

People also ask

How do I redirect to another page in Spring Security?

By default, Spring Security will redirect after login to the secured ressource you tried to access. If you wish to always redirect to a specific URL, you can force that through the HttpSecurity configuration object. Assuming you are using a recent version of Spring Boot, you should be able to use JavaConfig.

How do I return a 403 Spring boot?

Use this: response. setStatus(403) . Save this answer.

How do I redirect a requested URL after login?

The most common ways to implement redirection logic after login are: using HTTP Referer header. saving the original request in the session. appending original URL to the redirected login URL.

1 Answers

It took me a little bit of Spring source code study to get this to work. You can set up an authentication entry point as follows:

<bean id="authenticationEntryPoint" class="org.springframework.security.web.authentication.DelegatingAuthenticationEntryPoint">
     <!-- this is the configuration for /api/ URLs -->
     <constructor-arg>
         <map>
             <entry>
                <key>
                    <bean class="org.springframework.security.web.util.matcher.RegexRequestMatcher">
                        <constructor-arg value="^/api/.*" /><!-- match URLs starting with "/api/" -->
                        <constructor-arg><null /></constructor-arg><!-- no matter what the HTTP method is -->
                    </bean>
                </key>
                <!-- if the key above has matched, send 403 response -->
                <bean class="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint" />
             </entry>
         </map>
     </constructor-arg>

     <!-- and in the default case just redirect to login form -->
     <property name="defaultEntryPoint">
        <bean class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
            <constructor-arg value="/spring_security_login" />
        </bean>
     </property>
 </bean>

This can then be used in the Sping Security configuration:

<http ... entry-point-ref="authenticationEntryPoint">
like image 124
yankee Avatar answered Nov 09 '22 03:11

yankee
Sign in to Comment

Related questions

Again... method security with spring boot/security: Error creating bean with name 'methodSecurityInterceptor' "This object has already been built"
How to get a List of Objects that a user can access using ACLs related tables
Spring Boot Security OAuth2 with Form Login
spring-security-oauth2 JwkTokenStore with custom user details service
Add filter before OAuth2AuthenticationProcessingFilter
Keycloak: AnonymousAuthenticationToken cannot be cast to KeycloakAuthenticationToken
Spring Security allow each user to see their own profile but none else
Spring Security 3- How to customize username/password parameters?
OpenId authentication and automatic registration with Spring Security 3.0.2
Handling AccessDenied with Method Level Security
combining spring security 3 with jersey rest api
Maximum concurrent users in Spring Security
Spring Security Single Sign On in Windows Environment
spring security - access-denied-handler
How to implement token verification via token introspection endpoint in Spring Boot?
Spring boot Basic Authentication and OAuth2 in same project?
Spring boot 1.5.9, 404 error while accessing resources images within Docker container
Spring Security & Facebook OAuth 2.0 Integration with Graph API
Spring security securing the service layer, the web-service layer or both?
How to programatically return a json response after executing a custom filter UsernamePasswordAuthenticationFilter?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!