0

Spring security jsp tag authorize can be used to check against the url:

<sec:authorize url="/details" var="allow_url_details"/>

It uses WebInvocationPrivilegeEvaluator for evaluation. The rules has been taken from HttpSecurity config:

    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        http.authorizeHttpRequests(auth -> auth
            .requestMatchers("/details").hasAnyRole("OPERATOR","TECH")
            .requestMatchers("/static/*", "/*", "/favicon/*").permitAll()
            .anyRequest().authenticated()
        );
        // ...
    }

From other side, I have @EnableMethodSecurity(jsr250Enabled = true), and on contoller there is @RolesAllowed:

@Controller
public class DetailController extends ControllerTemplate {
    @GetMapping("/details")
    @RolesAllowed({"OPERATOR", "TECH"})
    public String list() {
        return "details/list";
    }

So, we have two places of security allowance declaration:

  1. in http.authorizeHttpRequests (to get <sec:authorize url="/details"> work)
  2. and with @GetMapping (or @Controller)

Can I (How to) use only JSR 250 way of defining allowed urls, so I can use sec:authorize tag without configuring the same urls in HttpSecurity setup?

Chpokeridze
  • 55
  • 7
  • No. As they use different ways of securing and the metadata isn't available to the `WebInvocationPrivilegeEvaluator`. – M. Deinum Jun 27 '23 at 13:18
  • Thanks a lot. Then will implement custom AuthorizationManager that uses existing Jsr250AuthorizationManager – Chpokeridze Jun 27 '23 at 13:45

1 Answers1

0

Now we have the functionality. The draft implementation looks like this:

https://gist.github.com/ol-loginov/e39dec6aebe5a39bce9dfc473282bbb2

It uses almost none security rules in HttpSecurity (except basic ones), and account Jsr250, @Secured, @PreAuthorize annotations.

It has a little overhead, because we need to resolve controller method twice - here and in DispatcherServlet again

Chpokeridze
  • 55
  • 7