2

I have added spring security with taglibs for role based content loading in my application . The authentication process will be taken care by external service and after successful authentication , the external service will add user detail and role detail in the request header. In my application I have to get the roles from request header and need to validate the roles with spring security configure method.

Help me on how to validate the roles .

Spring security Class:

@Configuration
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {


    @Override
    protected void configure(final HttpSecurity http) throws Exception {

        http.authorizeRequests()
            .antMatchers("/login").permitAll()
            .antMatchers("/console")
            .access("hasRole('MASTER ADMIN') or hasRole('ADMIN') or hasRole('DEV') or hasRole('QA')")
            .and()
            .formLogin()
            .defaultSuccessUrl("/console", true)
            .and().logout().logoutSuccessUrl("/login");
    }
}

Controller Class:

    @RequestMapping(value = "/login")
    public ModelAndView validateLogin(final HttpServletRequest request, final HttpServletResponse response) {
        final ModelAndView modelView = new ModelAndView();
        final String loginUserId = request.getParameter("USER");
        final String companyCode = request.getHeader("ROLE");
        final String firstName = request.getHeader("FIRSTNAME");
        final String lastName = request.getHeader("LASTNAME");

//** some code to validate the role details with spring security configure method ie (has access method) and return the default success url based on the role.
Rithik_Star
  • 651
  • 5
  • 14
  • 39
  • well, i think this might help you. https://stackoverflow.com/questions/36736861/spring-security-access-request-parameters-inside-userdetailsservice-implementa . Your UserDetailsService is responsible for defining roles for your Principal. How you create those Roles may be either by accessing a DB or getting the roles from your request header. I am not discussing if this is good or bad to get the roles from a request header, what I am doing is providing a possible solution for your question :D. – Adrian Claudiu Dima Jun 12 '18 at 19:02
  • Also I am assuming you want to use @PreAuthorize("hasRole('MASTER ADMIN')") <- which invokes the check for user roles, roles which are provided by your UserDetailsService implementation. – Adrian Claudiu Dima Jun 12 '18 at 19:03
  • @AdrianClaudiuDima Thank you . UserDetailServiceImpl wont suit in my need. Because I am not going to fetch any detail from either DB or external service. All the user information wil be available in the request header. I need only validating the role in the request header with spring security configure method – Rithik_Star Jun 13 '18 at 18:02
  • @AdrianClaudiuDima Spring security overridden configure method has defined with access of MASTER ADMIN , ADMIN etc. I have to validate the request header (which is already authenticated by siteminder ) whether that request has any of the above roles. – Rithik_Star Jun 13 '18 at 18:04

0 Answers0