Spring security authorize request for url & method using HttpSecurity
83,186
Solution 1
Take a look here https://github.com/spring-projects/spring-data-examples/tree/master/rest/security which has
http
.httpBasic().and()
.authorizeRequests()
.antMatchers(HttpMethod.POST, "/employees").hasRole("ADMIN")
.antMatchers(HttpMethod.PUT, "/employees/**").hasRole("ADMIN")
.antMatchers(HttpMethod.PATCH, "/employees/**").hasRole("ADMIN");
Solution 2
I know this question is a bit old but I don't believe disabling csrf support is an acceptable answer. I had this same problem but don't feel good able using csrf.disable(). Instead I added the following line at the bottom of the page inside the form tags.
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}" />
Related videos on Youtube
Author by
Ignasi
Updated on July 09, 2022Comments
-
Ignasi almost 2 years
Is there any way to authorize post request to a specific url using
org.springframework.security.config.annotation.web.builders.HttpSecurity
?I'm using
HttpSecurity
as:@Override protected void configure(HttpSecurity http) throws Exception { http .addFilterAfter(new CsrfCookieGeneratorFilter(), CsrfFilter.class) .exceptionHandling() .authenticationEntryPoint(authenticationEntryPoint) .and() .rememberMe() .rememberMeServices(rememberMeServices) .key(env.getProperty("jhipster.security.rememberme.key")) .and() .formLogin() .loginProcessingUrl("/api/authentication") .successHandler(ajaxAuthenticationSuccessHandler) .failureHandler(ajaxAuthenticationFailureHandler) .usernameParameter("j_username") .passwordParameter("j_password") .permitAll() .and() .logout() .logoutUrl("/api/logout") .logoutSuccessHandler(ajaxLogoutSuccessHandler) .deleteCookies("JSESSIONID") .permitAll() .and() .headers() .frameOptions() .disable() .authorizeRequests() .antMatchers("/api/register").permitAll() .antMatchers("/api/activate").permitAll() .antMatchers("/api/authenticate").permitAll() .antMatchers("/api/logs/**").hasAuthority(AuthoritiesConstants.ADMIN) .antMatchers("/api/subscriptions").permitAll() .antMatchers("/api/**").authenticated(); }
I would like to allow POST requests to /api/subscription path. Only POST. Thanks.
-
Matt C about 8 yearsGood point, I will update my answer as the csrf part is not relevant to the original question. This was taken as is from a documented example of doing rest calls rather than web as seen here github.com/spring-projects/spring-data-examples/blob/master/…
-
Matt C about 8 yearsUpdated to exclude the csrf disable which was copied in from the referenced code. This was also discussed in an another answer
-
Frans about 4 yearsDoes not address requirement for only POST requests to be allowed.
-
Braian Coronel about 3 yearsWhy you exclude?