I am using Java 8, Spring MVC 4, Spring Boot, and Gradle for my REST application.
I would like to add security to my REST application via custom method annotations within certain Spring MVC 4 controllers.
Here is a basic example.
HomeController.java
package myapp;
import org.springframework.web.bind.annotation.RestController;
import org.springframework.web.bind.annotation.RequestMapping;
@RestController
@RequestMapping("/")
public class HomeController {
@RequestMapping("/")
public String index() {
return "<h1>Hello, World!</h1><p>Lorem Ipsum Lorem Ipsum Lorem Ipsum Lorem Ipsum Lorem Ipsum Lorem Ipsum</p>";
}
@CustomSecurityAnnotation
@RequestMapping("/secure")
public String secure() {
return "<h1>Secured!</h1><p>Lorem Ipsum Lorem Ipsum Lorem Ipsum Lorem Ipsum Lorem Ipsum Lorem Ipsum</p>";
}
}
I would like CustomSecurityAnnotation
to run a custom method that will check the headers of the incoming REST request, look at HTTP header Authorization
, pull the value provided (if one was provided), and run code against that value to validate the request before allowing the method to proceed. The annotation should have the ability to override the response and provide a HTTP 401 or 403 if the authorization is invalid, and allow the method under the annotation to run if I decide the annotation custom method passed successfully.
I realize there is something similar I could do with PreAuthorize
and other MVC annotations but I'm looking at packaging up custom logic within a method inside a single annotation to be used on any method on any controller of my choosing.
Thanks!
Method-level security is implemented by placing the @PreAuthorize annotation on controller methods (actually one of a set of annotations available, but the most commonly used). This annotation contains a Spring Expression Language (SpEL) snippet that is assessed to determine if the request should be authenticated.
The @PreAuthorize annotation checks the given expression before entering the method, whereas the @PostAuthorize annotation verifies it after the execution of the method and could alter the result.
We also created a custom annotation in our project. What you need to accomplish this, is a bit of Aspect Oriented Programming.
First you'll want to create your own annotation to tag your methods, as follows:
public @interface CustomSecurityAnnotation {
}
Then you have to write the logic which is triggered when your method is executed. You write an aspect for that.
@Aspect
@Component
public class CustomSecurityAspect {
@Pointcut("@annotation(my.package.CustomSecurityAnnotation)")
private void customSecurityAnnotation() {
}
@Around("my.package.CustomSecurityAspect.customSecurityAnnotation()")
public Object doSomething(ProceedingJoinPoint pjp) throws Throwable {
HttpServletRequest req = getRequest();
// Check header values
// Throw Spring's AccessDeniedException if needed
return pjp.proceed();
}
private HttpServletRequest getRequest() {
ServletRequestAttributes sra = (ServletRequestAttributes) RequestContextHolder.getRequestAttributes();
return sra.getRequest();
}
}
As you can see, I've already included a method to retrieve the current HTTP request so you can easily retrieve the header you want to check.
In case of an AccessDeniedException
, Spring automatically sets the response status code to HTTP 403.
Don't forget to enable @EnableAspectJAutoProxy
on your @Configuration
class to enable aspects.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With