I have implemented Spring Security Expression in my application Spring controller:
@Controller
@RequestMapping("init")
public class InitController {
@PreAuthorize("hasRole('ROLE_ADMIN')")
@RequestMapping(value = "/", method = RequestMethod.GET)
public @ResponseBody String home(){
return "This is the init page";
}
}
With this security configuration:
<http auto-config="true" create-session="stateless" use-expressions="true">
<intercept-url pattern="/_ah*" access="permitAll" />
<intercept-url pattern="/init/*" access="hasRole('ROLE_ADMIN')"/>
<intercept-url pattern="/init*" access="hasRole('ROLE_ADMIN')"/>
</http>
When this resource is accessed the the default Spring login form is displayed (http://localhost:8888/spring_security_login
) however I don't want this to happen and that I just want to have the credentials to be inserted in the request header like "x-authorization-key" or whatever that fits the scenario.
What is the possible solution for this?
header
You should probably read the description on what auto-config
does, then remove it to disable form-login
. Your configuration will be clearer if you specifically configure what you want to use.
It's not clear from your question what you want to be included in the x-authorization-key
header. If you are just authenticating with a client Id and shared secret then you might as well use basic authentication since it is already supported out of the box and you can just add <http-basic />
to your configuration. If you have something more customized in mind, then you will probably have to implement a custom filter and add it to the Spring Security filter chain to extract the credentials and process them.
How your authentication mechanism fits is also dependent on what it actually consists of. Normally your users will have assigned roles which are loaded when they authenticate, usually from a database of some kind. The hasRole
expression simply checks whether the current user has the specified role. Often you will only need to create a UserDetailsService
which loads your user information in a standard format which is easily plugged into the framework. This is covered at length elsewhere. If you really need something more customized this blog article on GAE integration includes details of how you might go about integrating with a more complicated system.
Spring Security will not create or use a session if you use create-session='stateless'
.
P.S. You don't really need to include the same security attributes both at the URL level and on your controller which handles the same URL.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With