Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Spring security authorize request for url & method using HttpSecurity

Is there any way to authorize post request to a specific url using org.springframework.security.config.annotation.web.builders.HttpSecurity ?

I'm using HttpSecurityas:

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .addFilterAfter(new CsrfCookieGeneratorFilter(), CsrfFilter.class)
            .exceptionHandling()
            .authenticationEntryPoint(authenticationEntryPoint)
        .and()
            .rememberMe()
            .rememberMeServices(rememberMeServices)
            .key(env.getProperty("jhipster.security.rememberme.key"))
        .and()
            .formLogin()
            .loginProcessingUrl("/api/authentication")
            .successHandler(ajaxAuthenticationSuccessHandler)
            .failureHandler(ajaxAuthenticationFailureHandler)
            .usernameParameter("j_username")
            .passwordParameter("j_password")
            .permitAll()
        .and()
            .logout()
            .logoutUrl("/api/logout")
            .logoutSuccessHandler(ajaxLogoutSuccessHandler)
            .deleteCookies("JSESSIONID")
            .permitAll()
        .and()
            .headers()
            .frameOptions()
            .disable()
            .authorizeRequests()
                .antMatchers("/api/register").permitAll()
                .antMatchers("/api/activate").permitAll()
                .antMatchers("/api/authenticate").permitAll()
                .antMatchers("/api/logs/**").hasAuthority(AuthoritiesConstants.ADMIN)
                .antMatchers("/api/subscriptions").permitAll()
                .antMatchers("/api/**").authenticated();
}

I would like to allow POST requests to /api/subscription path. Only POST. Thanks.

like image 267
ilopezluna Avatar asked Mar 06 '15 20:03

ilopezluna


People also ask

How do I restrict URL in Spring boot?

Securing the URLs The most common methods are: authenticated(): This is the URL you want to protect, and requires the user to login. permitAll(): This is used for URL's with no security applied for example css, javascript. hasRole(String role): Restrict to single role.


2 Answers

Take a look here https://github.com/spring-projects/spring-data-examples/tree/master/rest/security which has

http   .httpBasic().and()   .authorizeRequests()     .antMatchers(HttpMethod.POST, "/employees").hasRole("ADMIN")     .antMatchers(HttpMethod.PUT, "/employees/**").hasRole("ADMIN")     .antMatchers(HttpMethod.PATCH, "/employees/**").hasRole("ADMIN"); 
like image 67
Matt C Avatar answered Sep 24 '22 14:09

Matt C


I know this question is a bit old but I don't believe disabling csrf support is an acceptable answer. I had this same problem but don't feel good able using csrf.disable(). Instead I added the following line at the bottom of the page inside the form tags.

<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}" /> 
like image 34
Patrick Avatar answered Sep 20 '22 14:09

Patrick