Spring Security

Question

I am just learning about spring security. Consider

  <security:form-login always-use-default-target="false"
   authentication-failure-url="/login.do?error=1" default-target-url="admin/admin.do"
   login-page="/login.do?error=0" login-processing-url="/j_security_check" />

Currently all the users who login are able to access the admin page. If I need to restrict the users to the admin page based on authorization, for example if the user has ROLE_UPDATE..what needs to be done. IS it something like in the ...non-jee.xml file.

OR do I need to change the application code so that it looks up for the "ROLE_UPDATE" for the user that has logged in successfully using form.

Answer 1

Realize this question is old, but for those who find this ... Details can be found here with good examples and documentation: http://docs.spring.io/spring-security/site/docs/4.0.0.RELEASE/reference/htmlsingle/#authorization

The most common scenario is that each user has a collection of roles assigned to them. You can then restrict functionality by roles. That functionality could be urls and/or methods. Since your example showed an XML configuration, here's an XML example of how you might limit access to a URL. (Note: this is in the http section of config, ie. sibling of the form-login you showed above)

<http>
    <intercept-url pattern="/admin/**" access="hasRole('ROLE_ADMIN')"/>
    <form-login ... />
</http>

There are more complex options, but this should get you started. A section that has some good detail is here: http://docs.spring.io/spring-security/site/docs/4.0.0.RELEASE/reference/htmlsingle/#ns-form-and-basic