Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Spring security authorize request for url & method using HttpSecurity

Tags:

spring

spring-security

spring-java-config

jhipster

Is there any way to authorize post request to a specific url using org.springframework.security.config.annotation.web.builders.HttpSecurity ?

I'm using HttpSecurityas:

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .addFilterAfter(new CsrfCookieGeneratorFilter(), CsrfFilter.class)
            .exceptionHandling()
            .authenticationEntryPoint(authenticationEntryPoint)
        .and()
            .rememberMe()
            .rememberMeServices(rememberMeServices)
            .key(env.getProperty("jhipster.security.rememberme.key"))
        .and()
            .formLogin()
            .loginProcessingUrl("/api/authentication")
            .successHandler(ajaxAuthenticationSuccessHandler)
            .failureHandler(ajaxAuthenticationFailureHandler)
            .usernameParameter("j_username")
            .passwordParameter("j_password")
            .permitAll()
        .and()
            .logout()
            .logoutUrl("/api/logout")
            .logoutSuccessHandler(ajaxLogoutSuccessHandler)
            .deleteCookies("JSESSIONID")
            .permitAll()
        .and()
            .headers()
            .frameOptions()
            .disable()
            .authorizeRequests()
                .antMatchers("/api/register").permitAll()
                .antMatchers("/api/activate").permitAll()
                .antMatchers("/api/authenticate").permitAll()
                .antMatchers("/api/logs/**").hasAuthority(AuthoritiesConstants.ADMIN)
                .antMatchers("/api/subscriptions").permitAll()
                .antMatchers("/api/**").authenticated();
}

I would like to allow POST requests to /api/subscription path. Only POST. Thanks.

like image 267
ilopezluna Avatar asked Mar 06 '15 20:03

ilopezluna

People also ask

How do I restrict URL in Spring boot?

Securing the URLs The most common methods are: authenticated(): This is the URL you want to protect, and requires the user to login. permitAll(): This is used for URL's with no security applied for example css, javascript. hasRole(String role): Restrict to single role.

2 Answers

Take a look here https://github.com/spring-projects/spring-data-examples/tree/master/rest/security which has 

http   .httpBasic().and()   .authorizeRequests()     .antMatchers(HttpMethod.POST, "/employees").hasRole("ADMIN")     .antMatchers(HttpMethod.PUT, "/employees/**").hasRole("ADMIN")     .antMatchers(HttpMethod.PATCH, "/employees/**").hasRole("ADMIN");
like image 67
Matt C Avatar answered Sep 24 '22 14:09

Matt C

I know this question is a bit old but I don't believe disabling csrf support is an acceptable answer. I had this same problem but don't feel good able using csrf.disable(). Instead I added the following line at the bottom of the page inside the form tags.

<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}" />
like image 34
Patrick Avatar answered Sep 20 '22 14:09

Patrick
Sign in to Comment

Related questions

How to design a good JWT authentication filter
Spring Autowiring class vs. interface?
Spring WebSocket @SendToSession: send message to specific session
Difference between isAuthenticated and isFullyAuthenticated
HibernateTransactionManager or JpaTransactionManager
Use of multiple DataSources in Spring Batch
How Spring Boot run batch jobs
Difference between registerGlobal(), configure(), configureGlobal(),configureGlobalSecurity in Spring security
Spring Property Injection in a final attribute @Value - Java
Spring Data JPA - Multiple EnableJpaRepositories
How to correctly use PagedResourcesAssembler from Spring Data?
Spring ApplicationListener is not receiving events
Initialize database without XML configuration, but using @Configuration
Spring configuration for embedded H2 database for tests
Difference between @Qualifier and @Resource
java properties file using multiple lines for one property
How to set up datasource with Spring for HikariCP?
Spring Data JPA. How to get only a list of IDs from findAll() method
For each operator in Thymeleaf
Spring 3.1 Hibernate 4 exception for Inheritance [cannot be cast to org.hibernate.mapping.RootClass]

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!