Spring boot: How to add interceptors to static resources?

Question

I have several folders in /static/img/** and I need to add interceptors to some of them to check user permissions. I've used interceptors earlier and added them this way:

@SpringBootApplication
@EnableTransactionManagement
public class Application extends WebMvcConfigurerAdapter {

  ...

  @Override
  public void addResourceHandlers(ResourceHandlerRegistry registry) {
    registry
      .addResourceHandler("/static/**")
      .addResourceLocations("classpath:/static/");
  }

  @Bean
  public AuthHeaderInterceptor authHeaderInterceptor() {
    return new AuthHeaderInterceptor();
  }

  @Bean
  public AuthCookieInterceptor authCookieInterceptor() {
    return new AuthCookieInterceptor();
  }

  @Override
  public void addInterceptors(InterceptorRegistry registry) {
    registry
      .addInterceptor(authHeaderInterceptor())
      .addPathPatterns(REST_URL)
      .excludePathPatterns(
        new String[] {
          REST_SECURITY_URL,
          REST_SETTINGS_URL,
          REST_REPORTS_URL
        }
      );

    registry
      .addInterceptor(authCookieInterceptor())
      .addPathPatterns(REST_REPORTS_URL);
  }
}

All works fine for rest controllers and their URLs, but now I need to secure some static resources and I added this:

@SpringBootApplication
@EnableTransactionManagement
public class Application extends WebMvcConfigurerAdapter {

  ...

  @Bean 
  public RoleAdminInterceptor roleAdminInterceptor() {
    return new RoleAdminInterceptor();
  }

  @Override
  public void addInterceptors(InterceptorRegistry registry) {
    registry
      .addInterceptor(authHeaderInterceptor())
      .addPathPatterns(REST_URL)
      .excludePathPatterns(
        new String[] {
          REST_SECURITY_URL,
          REST_SETTINGS_URL,
          REST_REPORTS_URL
        }
      );

    //THIS NOT WORK
    registry
      .addInterceptor(roleAdminInterceptor())
      .addPathPatterns("/static/img/admin/**");

    registry
      .addInterceptor(authCookieInterceptor())
      .addPathPatterns(REST_REPORTS_URL);
  }
}

Commented line doesn't work. When I send request to /static/img/admin/test.png RoleAdminInterceptor is never called.

What I'm doing wrong?

Answer 1

I know this is an old question, but since it's unanswered it might help others searching for it.

This is what worked for me:

1- Declare an interceptor class:

class RoleBasedAccessInterceptor implements HandlerInterceptor {
    @Override
    public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {
        AntPathMatcher matcher = new AntPathMatcher();
        String pattern = "/static/img/admin/**";

        String requestURI = request.getRequestURI();

        if (matcher.match(pattern, requestURI)) {
            //Do whatever you need 
            return validateYourLogic();
        }

        return true;
    }

    @Override
    public void postHandle(HttpServletRequest request, HttpServletResponse response, Object handler, ModelAndView modelAndView) throws Exception {

    }

    @Override
    public void afterCompletion(HttpServletRequest request, HttpServletResponse response, Object handler, Exception ex) throws Exception {

    }
}

2- Configure WebMvcConfigurer

public class WebMvcConfiguration implements WebMvcConfigurer {
    @Override
    public void addInterceptors(InterceptorRegistry registry) {
        registry.addInterceptor(new RoleBasedAccessInterceptor());
    }
}

Answer 2

I think in this case you could use Filters with Spring Security instead of Interceptors as you could Validate the access earlier on the process even before hitting the Interceptor, unless there is a specific use case that you need to use the interceptor here.

Some topic about the difference between these two: filters-vs-interceptor