stackoom
  简体   繁体   中英

Spring Boot + Security configuration for communication with Angular app

 原文  2019-10-16 09:32:23       angular/ spring/ spring-boot/ spring-security

Question

I have the spring boot application running on the domain A.It purpose is to expose some REST endpoints.

Also, I have angular 8 application. It could be deployed on the same domain A, or in other domain B. The spring boot app is aware of on which domain is angular app deployed.

I need to configure Spring security,so it will accept requests on particular endpoints ONLY from the angular app. But also, some of the endpoints need to be role-aware

For example:

  • /api/v1/resources/** - should be from angular app only
  • /api/v1/resources/admin/** - should be only from angular app AND user should have admin role
  • /api/v1/payments/** - this can accept requests not only from angular app (merchant callbacks for example)

I would highly appreciate some pieces of advice on the best approach for this

2 answers

solution1
 1  2019-10-16 10:20:42

You can achieve this by applying URL specific filter in securityConfig.java class where you have extended WebSecurityConfigurerAdapter class also you need to pass one custom header from your Angular app. 

@Autowired
private HeaderFilter headerFilter;

@Override
protected void configure(HttpSecurity http) throws Exception {
    http.antMatcher("/api/v1/resources/**")
        .addFilterBefore(headerFilter, BasicAuthenticationFilter.class)
        .authorizeRequests()
        .anyRequest().authenticated();
}

You can create HeaderFilter.class and inside doFilter() method implement like below.

public class HeaderFilter extends GenericFilterBean {
    @Override
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
        HttpServletRequest httpRequest = (HttpServletRequest) request;
        Enumeration<String> headerNames = httpRequest.getHeaderNames();

        if (headerNames != null) {
            while (headerNames.hasMoreElements()) {
                request.getHeader("YOUR_CUSTOM_HEADER");
                //get Angular app specific header and it's value whether it is correct then true else stop filter chain.
                if(FOUND){
                   chain.doFilter(request, response);
                } else {
                   throw Exception();
                }
            }
        }

    }
}

You can also add ROLE BASED additional authentication for ADMIN access in securityconfig.java

solution2
 0  2019-10-16 09:44:37

In your WebSecurityConfig class which extends from WebSecurityConfigurerAdapter ( org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter ) edit your configure mwthod as this

@Override
protected void configure(HttpSecurity http) throws Exception {
    http.cors().and().csrf().disable().
            authorizeRequests()
            .antMatchers("/api/v1/resources/admin/**").hasRole("admin")
            .antMatchers("/api/v1/payments/**").permitAll()
            .anyRequest().authenticated()           
            ...
            ...
        }

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Integrating Angular 5 App and Spring boot. Spring security blocks the app Spring boot security is not loading Angular 7 app build files Angular 2, Spring boot , spring security , login form Spring security configuration with angular served by backend Angular 2 + CORS + Spring Boot Rest Controller with Spring Security Using spring boot with angular for login page using spring security How to Manage Authentication between an Angular 4 Application and an Application (Spring Boot / security)? Unable to Cross CORS Policy - Angular with spring boot security Deploy Spring boot+Angular2 app to Heroku Spring Boot App with Angular and Keycloak Ingress
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM