Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to deny access to all URLs by default?

Tags:

java

spring

spring-boot

spring-security

When defining new spring boot REST resources, I tend to forget to also create a spring security configuration for their url patterns.

How can I, by default, deny access to all URLs, and only allow access to explicitly configured URL patterns? (I am using .hasRole for to allow access) I want to avoid as many unintended security holes as possible.

Let's say I have three REST resources: /jobs, /desks and /salary. My current code might look like this:

http.authorizeRequests()

    .antMatchers(HttpMethod.GET, "/jobs")
    .hasRole("my_user")

    .antMatchers(HttpMethod.GET, "/desks")
    .hasRole("my_user");

But currently, access to url /salary is provided to everyone (because it is not yet configured)!

like image 399
slartidan Avatar asked Jul 17 '18 15:07

slartidan

2 Answers

Spring's Expression-Based Access Control has a denyAll expression which always evaluates to false.

So what you can do is use this denyAll method to deny access to everything, and then perhaps allow access to a certain URL(s) via hasRole:

http.authorizeRequests().antMatchers("/admin/**").access("hasRole('ADMIN')").antMatchers("/**").denyAll();

So for example, this will allow users with ADMIN access to access any page starting with /admin. And then it will deny access to all other pages. Note that the order is important as if you put in .antMatchers("/**").denyAll() first, it will deny all access and ignore the rest of your expression.

Or alternatively, you could use permitAll() for a certain URL pattern:

http.authorizeRequests().antMatchers("/users/**").permitAll().antMatchers("/**").denyAll();

Just to note that you might need to allow access to some way of logging in too, so the system can let someone log in with a specific role, so to combine it all together, and allow everyone to try login, only admin users to access the admin page(s) and deny all others, then something like:

http.authorizeRequests().antMatchers("/login").permitAll().antMatchers("/admin/**").access("hasRole('ADMIN')").antMatchers("/**").denyAll();
like image 173
achAmháin Avatar answered Nov 07 '22 23:11

achAmháin

You can deny all requests by default with: .anyRequest().denyAll() and explicit allow requests with .hasRole

like image 21
max Avatar answered Nov 08 '22 01:11

max
Sign in to Comment

Related questions

HikariCP too many connections
hibernate: Unable to locate appropriate constructor on class - HQL
Match generics with Mockito
Is it bad practice to make generic arrays, and what would be the alternative?
java.lang.NoClassDefFoundError: javax/servlet/ServletContext
Spring AOP CGLIB proxy's field is null
Can I "use" Java 8 with Android Development now?
How to convert java.util.stream.Stream<Something> into kotlin.Sequence<Something>
Why doesn't Stream#reduce implicitly accept an accumulative function handling super type elements?
How to deserialise a subclass in Firebase using getValue(Subclass.class)
How to locate a span with a specific text in Selenium? (Using Java)
Spring Boot Integration Testing with mocked Services/Components
Unable to set runtime Local Server Port in Spring Boot Test 1.5
I used Glide library to load image into imageView and I don't know how to make image pinch to zoomable
EditorConfig in Android Studio
Exporting a package from system module is not allowed with --release
Idiomatically creating a multi-value Map from a Stream in Java 8
Where is the "server log" for Tomcat when running externally from IntelliJ Ultimate?
Get the extension from a MimeType
How do I sum the values in a Reactor Flux stream?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!