2

I have a question about Spring Security. I have several pages - A, B and C - and 4 http methods to manipulate them: GET, PUT, POST, DELETE. For each combination A+GET I would like to have a special authority in form resource-Page-Method. How can I implement it? The follewing code doesn't work: it allows all the things for all the users event if they do not have any rights.

@Override
protected void configure(HttpSecurity http) throws Exception { 


  RequestHeaderAuthenticationFilter siteMinderFilter = new RequestHeaderAuthenticationFilter();
  siteMinderFilter.setPrincipalRequestHeader("SM_USER");
  siteMinderFilter.setAuthenticationManager(authenticationManager());

  http.addFilter(siteMinderFilter);  


  List<HttpMethod> methods = new ArrayList<HttpMethod>();
  methods.add(HttpMethod.GET);
  methods.add(HttpMethod.POST);
  methods.add(HttpMethod.PUT);
  methods.add(HttpMethod.DELETE);

 List<String> resources = new ArrayList<String>();
 resources.add("A");
 resources.add("B");
 resources.add("C");     
 ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry registry = http.authorizeRequests();

 for (HttpMethod method:methods){
     for (String resource: resources){
         String auth = "resource-"+resource+"-"+method.name();
         registry.antMatchers(method, "**/"+resource+"/**")
         .hasAuthority(auth);
     }
 }

  http = registry.and();
  http.formLogin();   

}
user2957954
  • 1,221
  • 2
  • 18
  • 39
  • Why did you not read my test? I wrote: for each combination I want to add an authority. So every user should be logged on, of course, but not only that. I want a user which wants to have an access to GET and PUT methods of the page A and to DELETE method of page B to habe authorities: resource-A-GET, resource-A-PUT, resource-B-DELETE – user2957954 Aug 03 '15 at 14:00
  • Then for each of your method, you will require a ROLE and an user can have multiple roles. What's the problem with that line of thinking? For example : ROLE_GET, ROLE_DELETE, ROLE_POST, etc. – We are Borg Aug 03 '15 at 14:04
  • Why did you not read my text? I would like to have a special authority for each combination of role and method. I would like to define my security throuth authorities which is also allowed in spring security somehow (read about ´hasAuthority()´ method) – user2957954 Aug 03 '15 at 14:17
  • For starters I am reading your text, read the answer here: http://stackoverflow.com/questions/19525380/difference-between-role-and-grantedauthority-in-spring-security . – We are Borg Aug 03 '15 at 14:25

1 Answers1

0

The only reason why the filters didn't function was the missing slash / at the beginnig of matcher patten:

Istead of this

 registry.antMatchers(method, "**/"+resource+"/**")

I should have written this

 registry.antMatchers(method, "/**/"+resource+"/**")
user2957954
  • 1,221
  • 2
  • 18
  • 39