Restrict the Rest API Methods except GET on a Spring Boot Project

Question

I made a Rest API project with Spring Boot. There are every standard methods like get, post, put and delete in the Controller.

My aim is to make it possible for me to only be able to access the api calls (except get calls) via my angular app. Other methods (post, put and delete) can not be accessible from outside.

I tried to solve this problem with WebSecurityConfigurerAdapter and configure function but I couldn't get it. When I first imported the security dependency (spring-boot-starter-security) on pom.xml, then all methods were blocked. I tried to permit the get calls in configure method but then I could not make a post call with basic auth over postman. Everytime I got 403 Forbidden error.

@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
    
    @Override
    public void configure(WebSecurity web) throws Exception {
        web.ignoring()
            .antMatchers(HttpMethod.GET)
            .antMatchers("/h2-console/**")
            .antMatchers("/login/**");
    }
    
}

By the way, I wanted to make my own username and passwort for spring security in the application.properties file. But I think that doesn't work if I use a SecurityConfig configuration file.

spring.security.user.name=myUsername
spring.security.user.password=myPassword

Regardless of my attempts, how can I actually get this from shortest and easiest way? Then how can I call the blocked methods (post, put, delete) from my angular application?

Thanks.

score 1 · Answer 1 · answered Jun 12 '21 at 23:11

If I'm not mistaken, you want your project to have no access restrictions for GET methods and everyone should have access to this method type.

All remaining requests (post, put, delete, etc.) can be accessed with an authentication.

You can achieve this as follows. Assuming you have a controller like below:

@RestController
@RequestMapping("security")
public class SecurityController {

    @GetMapping("get")
    public ResponseEntity<String> get() {
        return ResponseEntity.ok("Get Method");
    }

    @PostMapping("post")
    public ResponseEntity<String> post() {
        return ResponseEntity.ok("Post Method");
    }

    @PutMapping("put")
    public ResponseEntity<String> put() {
        return ResponseEntity.ok("Put Method");
    }

    @DeleteMapping("delete")
    public ResponseEntity<String> delete() {
        return ResponseEntity.ok("delete");
    }

}

In this case your WebSecurityConfigurer should be like below:

@EnableWebSecurity
public class WebSecurityConfigurer extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.csrf().disable().authorizeRequests()
                .antMatchers(HttpMethod.GET).permitAll()
                .anyRequest().authenticated().and().httpBasic();
    }
}

The first thing to do here is to determine that GET, which is an http method, can access without any authorization. It then authorizes the accesses of the remaining HttpMethod's. Finally, we specify that we are using Basic Auth with httpBasic(). This information consists of username and password information defined in your application.properties file.

You can see the difference between HttpSecurity and WebSecurity by examining the question here.

I hope this answer helps you.

Restrict the Rest API Methods except GET on a Spring Boot Project

1 Answers1