Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to apply spring security filter only on secured endpoints?

Tags:

java

security

spring-mvc

spring

spring-security

I have the following Spring Security configuration:

httpSecurity         .csrf().disable()         .exceptionHandling()             .authenticationEntryPoint(unauthorizedHandler)             .and()         .sessionManagement()             .sessionCreationPolicy(SessionCreationPolicy.STATELESS)             .and()         .authorizeRequests()             .antMatchers("/api/**").fullyAuthenticated()             .and()         .addFilterBefore(authenticationTokenFilterBean(), UsernamePasswordAuthenticationFilter.class);

The authenticationTokenFilterBean() is applied even on endpoints that do not match /api/** expression. I also tried adding the following configuration code:

@Override public void configure(WebSecurity webSecurity) {     webSecurity.ignoring().antMatchers("/some_endpoint"); }

but this still did not solve my problem. How can I tell Spring Security to apply filters only on endpoints that match the secured URI expression?

like image 847
Bravo Avatar asked Apr 22 '16 14:04

Bravo

People also ask

How do you make a Spring Security filter?

Spring security provides few options to register the custom filter. We can use one of them based on our requirement. addFilterAfter(filter, class)–Adds a filter after the position of the specified filter class. addFilterBefore(filter, class)–Filter before the position of the specified filter class.

Which filter class is required for Spring Security?

Spring Security's web infrastructure is based entirely on standard servlet filters. It doesn't use servlets or any other servlet-based frameworks (such as Spring MVC) internally, so it has no strong links to any particular web technology.

What is authentication filter in Spring Security?

Class AuthenticationFilterA Filter that performs authentication of a particular request. An outline of the logic: A request comes in and if it does not match setRequestMatcher(RequestMatcher) , then this filter does nothing and the FilterChain is continued.

1 Answers

I have an application with the same requirement and to solve it I basically restricted Spring Security to a given ant match patter (using antMatcher) as follows:

http     .antMatcher("/api/**")     .authorizeRequests() //         .anyRequest().authenticated() //         .and()     .addFilterBefore(authenticationTokenFilterBean(), UsernamePasswordAuthenticationFilter.class);

You can read it as follows: for http only invoke these configurations on requests matching the ant pattern /api/** authorizing any request to authenticated users and add filter authenticationTokenFilterBean() before UsernamePasswordAuthenticationFilter. For all others requests this configuration has no effect.

like image 162
Francisco Spaeth Avatar answered Sep 19 '22 08:09

Francisco Spaeth
Sign in to Comment

Related questions

Check if a String is valid UTF-8 encoded in Java
com.mysql.jdbc.exceptions.jdbc4.MySQLNonTransientConnectionException: No operations allowed after connection closed
Printing Exception vs Exception.getMessage
How do I iterate over a stream in Java using for? [duplicate]
Why should I sign my JAR files?
What is an "escape-hatch operation" in a Java stream?
Overriding a method with Generic Parameters in Java?
Throttling CPU/Memory usage of a Thread in Java?
Why do generic methods and generic types have different type introduction syntax?
Using client/server certificates for two way authentication SSL socket on Android
Is it possible to transform LLVM bytecode into Java bytecode?
Java spread operator
How to inject JPA EntityManager using spring
Do not understand the source code of Arrays.copyOf
Pass command line arguments to JUnit test case being run programmatically
What is a static interface in java?
How to get class annotation in java?
Difference between path and value attributes in @RequestMapping annotation
Automatically convert Style Sheets to inline style
Thread Safe Singletons in Java

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!