stackoom
  简体   繁体   中英

Spring REST Security : Enable Basic Authentication only on a specific endpoint

 原文  2016-11-11 00:24:36       java/ spring/ spring-mvc/ spring-security/ spring-restcontroller

Question

I have configured Spring Security for my REST API (with HeaderHttpSessionStrategy).

My 'WebSecurityConfigurerAdapter' implementation looks as below. 

@Override
    protected void configure(HttpSecurity http) throws Exception {

        http

            .csrf().disable()

            .authorizeRequests()
                .antMatchers("/user/**").authenticated()
                .antMatchers("/**").permitAll()

                .and()
            .requestCache()
                .requestCache(new NullRequestCache())
                .and()

            .httpBasic()
            ;

    }

Now, how can I configure 'HttpSecurity' object so that the basic authentication is only possible with a specific endpoint.

For example:

/user/login : Basic Authentication should only be possible on this end point.After sucessfull authentication x-auth-token header is returned.

/user/create : Client should not be able to authenticate on this endpoint.Should only return 401.Can only be accessed using the 'x-auth-token' created using /user/login endpoint.

2 answers

solution1
 6 ACCPTED  2016-11-11 02:59:36

You can define multiple WebSecurityConfigurerAdapter s. One of higher priority which has a request matcher to restrict applicability to /user/login like: http.requestMatcher(new AntPathRequestMatcher("/user/login")) , and another one as a catch-all for the rest. You can omit the requestMatcher to make the http definition unrestricted.

solution2
 0  2016-11-11 10:01:49

You must always define restrictions from specific to generic. In your case it should be specific URL checks to generic security checks.

  1. You should configure and permit signin / signup URLs.
  2. You should avoid pattern /** to permit all. instead configure static resource URL separately.

  3. You should finally apply more generic restriction like you mentioned on URL, /user/** to be authenticated and having some roles. 

      @Override protected void configure(HttpSecurity http) throws Exception { http .csrf().disable() .authorizeRequests() .antMatchers("/user/login, /user/signup, /logout").permitAll() .antMatchers("/user/**").hasRole("ADMIN") .and() .requestCache() .requestCache(new NullRequestCache()) .and() .httpBasic();

    }

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Spring Security Rest Basic authentication Spring Security, REST basic authentication issue endpoint for authentication with spring security How to enable OAuth on a specific endpoint using spring security Spring boot security REST basic authentication from database Spring Basic Authentication of cxf Endpoint? Spring Boot 2 security basic authentication Spring Boot Security -Basic Authentication Spring Security HTTP Basic Authentication REST Authentication With Spring And Spring Security
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM