0

I need to implement authorization based on namespace of the URI. For example, localhost:8080/common/* would be accessible to all kind of users and localhost:8080/admin/* would be accessible to only admin users.

I've already used UsernamePasswordAuthenticationFilter for login stuff but I don't know how to check for authorization for each request.

Can anybody guide me how to implement this kind of authorization with spring security?

Thanks & Regards.

SmartSolution
  • 2,320
  • 5
  • 37
  • 49

1 Answers1

0

You can achieve this using the 

<intercept-url> element

The intercept-url element can be used to define a pattern which is matched against the URLs of incoming requests using an ant path style syntax.

For example with Spring 3.0 + using SpEL:

<http auto-config="true" use-expressions="true">
    <intercept-url pattern="/common/*" access="permitAll" />
    <intercept-url pattern="/registered/*" access="hasAnyRole('ROLE_USER,ROLE_ADMIN')" />
    <intercept-url pattern="/admin/**" access="hasRole('ROLE_ADMIN')" />
</http>

If you don't have SpEL support then use like this:

<http auto-config='true'>
    <intercept-url pattern="/common/*" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
    <intercept-url pattern="/registered/*" access="ROLE_USER,ROLE_ADMIN" />
    <intercept-url pattern="/admin/*" access="ROLE_ADMIN" />
</http>

Documentation

Update - If you are doing forwards in your JSP/JSP, you need to set the once-per-request="false" on the http element.

See also:

Community
  • 1
  • 1
Ravi Kadaboina
  • 8,494
  • 3
  • 30
  • 42
  • Thanks for your reply. Actually I've tried the same code but this authorization happens once only at the time of login (authentication) later on it doesn't happen for each request. – SmartSolution Jul 04 '12 at 08:50
  • So I think you are doing forwards in your JSP/JSF pages. I have updated the answer! – Ravi Kadaboina Jul 04 '12 at 13:23