Spring security authorize request for url & method using HttpSecurity

spring spring-security spring-java-config jhipster
ilopezluna picture ilopezluna · Mar 6, 2015 · Viewed 64.1k times · Source

Is there any way to authorize post request to a specific url using org.springframework.security.config.annotation.web.builders.HttpSecurity ?

I'm using HttpSecurityas:

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .addFilterAfter(new CsrfCookieGeneratorFilter(), CsrfFilter.class)
            .exceptionHandling()
            .authenticationEntryPoint(authenticationEntryPoint)
        .and()
            .rememberMe()
            .rememberMeServices(rememberMeServices)
            .key(env.getProperty("jhipster.security.rememberme.key"))
        .and()
            .formLogin()
            .loginProcessingUrl("/api/authentication")
            .successHandler(ajaxAuthenticationSuccessHandler)
            .failureHandler(ajaxAuthenticationFailureHandler)
            .usernameParameter("j_username")
            .passwordParameter("j_password")
            .permitAll()
        .and()
            .logout()
            .logoutUrl("/api/logout")
            .logoutSuccessHandler(ajaxLogoutSuccessHandler)
            .deleteCookies("JSESSIONID")
            .permitAll()
        .and()
            .headers()
            .frameOptions()
            .disable()
            .authorizeRequests()
                .antMatchers("/api/register").permitAll()
                .antMatchers("/api/activate").permitAll()
                .antMatchers("/api/authenticate").permitAll()
                .antMatchers("/api/logs/**").hasAuthority(AuthoritiesConstants.ADMIN)
                .antMatchers("/api/subscriptions").permitAll()
                .antMatchers("/api/**").authenticated();
}

I would like to allow POST requests to /api/subscription path. Only POST. Thanks.

Answer

Matt C picture Matt C · Mar 16, 2015

Take a look here https://github.com/spring-projects/spring-data-examples/tree/master/rest/security which has 

http
  .httpBasic().and()
  .authorizeRequests()
    .antMatchers(HttpMethod.POST, "/employees").hasRole("ADMIN")
    .antMatchers(HttpMethod.PUT, "/employees/**").hasRole("ADMIN")
    .antMatchers(HttpMethod.PATCH, "/employees/**").hasRole("ADMIN");

Related questions

disabling spring security in spring boot app

I have a spring boot web app with spring security configured. I want to disable authentication for a while (until needed). I add this to the application.properties: security.basic.enable: false management.security.enabled: false Here is some part …

Read More
How To Inject AuthenticationManager using Java Configuration in a Custom Filter

I'm using Spring Security 3.2 and Spring 4.0.1 I'm working on converting an xml config into a Java config. When I annotate AuthenticationManager with @Autowired in my Filter, I'm getting an exception Caused by: org.springframework.beans.factory.NoSuchBeanDefinitionException: No qualifying bean …

Read More
Spring Security 3.2: @Autowire doesn't work with java configuration and custom AuthenticationProvider in Spring MVC application?

This problem is relatively well discussed in several blog posts and SO questions. Nevertheless, I wasn't able to find one specifically addressing the problem with java configuration. I'm suspecting that I'm doing something wrong in my java configuration files, since …

Read More