Spring security authorize request for url & method using HttpSecurity
83,186
Solution 1
Take a look here https://github.com/spring-projects/spring-data-examples/tree/master/rest/security which has
http
.httpBasic().and()
.authorizeRequests()
.antMatchers(HttpMethod.POST, "/employees").hasRole("ADMIN")
.antMatchers(HttpMethod.PUT, "/employees/**").hasRole("ADMIN")
.antMatchers(HttpMethod.PATCH, "/employees/**").hasRole("ADMIN");
Solution 2
I know this question is a bit old but I don't believe disabling csrf support is an acceptable answer. I had this same problem but don't feel good able using csrf.disable(). Instead I added the following line at the bottom of the page inside the form tags.
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}" />
Related videos on Youtube
39 : 29
Spring Boot + Spring Security + JWT from scratch - Java Brains
12 : 44
Spring Method Security
02 : 06 : 49
Spring Boot and Spring Security with JWT including Access and Refresh Tokens 🔑
28 : 31
Spring security for method level | Pre authorized | Post authorized |secure rest api spring security
14 : 54
How to configure Spring Security Authorization - Java Brains
18 : 14
spring security authorization using permissions | spring security tutorial | episode 7
![[Spring Boot Security] #11 HTTP Basic Authentication using Spring Security](https://i.ytimg.com/vi/hF-iMHpl970/hq720.jpg?sqp=-oaymwEcCNAFEJQDSFXyq4qpAw4IARUAAIhCGAFwAcABBg==&rs=AOn4CLBe3RG_R1cLqV6iHX8L4jyNH4OHVg)
11 : 27
[Spring Boot Security] #11 HTTP Basic Authentication using Spring Security
28 : 03
Bài 12 : Hướng dẫn Spring Security
55 : 56
The New Spring Security Authorization Server Project
12 : 26
What is Spring security URL authorization?
01 : 04 : 30
Spring Security - Lesson 27 - Method authorization configurations
Author by
Ignasi
Updated on July 09, 2022Comments
-
Ignasi almost 2 years
Is there any way to authorize post request to a specific url using
org.springframework.security.config.annotation.web.builders.HttpSecurity?I'm using
HttpSecurityas:@Override protected void configure(HttpSecurity http) throws Exception { http .addFilterAfter(new CsrfCookieGeneratorFilter(), CsrfFilter.class) .exceptionHandling() .authenticationEntryPoint(authenticationEntryPoint) .and() .rememberMe() .rememberMeServices(rememberMeServices) .key(env.getProperty("jhipster.security.rememberme.key")) .and() .formLogin() .loginProcessingUrl("/api/authentication") .successHandler(ajaxAuthenticationSuccessHandler) .failureHandler(ajaxAuthenticationFailureHandler) .usernameParameter("j_username") .passwordParameter("j_password") .permitAll() .and() .logout() .logoutUrl("/api/logout") .logoutSuccessHandler(ajaxLogoutSuccessHandler) .deleteCookies("JSESSIONID") .permitAll() .and() .headers() .frameOptions() .disable() .authorizeRequests() .antMatchers("/api/register").permitAll() .antMatchers("/api/activate").permitAll() .antMatchers("/api/authenticate").permitAll() .antMatchers("/api/logs/**").hasAuthority(AuthoritiesConstants.ADMIN) .antMatchers("/api/subscriptions").permitAll() .antMatchers("/api/**").authenticated(); }I would like to allow POST requests to /api/subscription path. Only POST. Thanks.
-
Matt C about 8 yearsGood point, I will update my answer as the csrf part is not relevant to the original question. This was taken as is from a documented example of doing rest calls rather than web as seen here github.com/spring-projects/spring-data-examples/blob/master/… -
Matt C about 8 yearsUpdated to exclude the csrf disable which was copied in from the referenced code. This was also discussed in an another answer
-
Frans about 4 yearsDoes not address requirement for only POST requests to be allowed.
-
Braian Coronel about 3 yearsWhy you exclude?
