Allow get, but not post, put for some role

Question

I use spring boot and spring security.

i add security based on url like this

http
    .authorizeRequests()                                                                
        .antMatchers("/resources/**", "/signup", "/about").permitAll()                  
        .antMatchers("/admin/**").hasRole("ADMIN")                                      
        .antMatchers("/db/**").access("hasRole('ADMIN') and hasRole('DBA')")            
        .anyRequest().authenticated()                                                   
        .and()
    // ...
    .formLogin();

Is there a way to authorise only get, post, put... on url for some role?

score 1 · Accepted Answer · edited May 23 '17 at 11:58

1

You can pass method as the first argument of antMatchers() method:

http.authorizeRequests()
    .antMatchers(HttpMethod.GET, "/admin/**").hasRole("ADMIN")

Link to API for AbstractRequestMatcherRegistry.antMatchers()

P.S. Similar question: Spring security authorize request for url & method using HttpSecurity

edited May 23 '17 at 11:58

Community

1
1

answered Jun 17 '16 at 14:35

Slava Semushin

14,904
7
53
69

Allow get, but not post, put for some role

1 Answers1