Reputation: 1249
How to unsecure a method with Spring security
I have implemented Spring Security for a RESTful web service project. It has Request Mappings with same url patterns but with different Request Method types.
@RequestMapping(value = "/charity/accounts", method = RequestMethod.POST)
public AccountResponseDto createAccount(HttpServletResponse response, @RequestBody AccountRequestDto requestDTO) {
// some logics here
}
@RequestMapping(value = "/charity/accounts", method = RequestMethod.GET)
public AccountResponseDto getAccount(HttpServletResponse response) {
// some logics here
}
@RequestMapping(value = "/charity/accounts", method = RequestMethod.PUT)
public void updateAccount(HttpServletResponse response, @RequestBody AccountRequestDto requestDTO){
// some logics here
}
Currently all of these methods require Authorization to execute, but I need to remove authorization for createAccount(...) method. Are there annotation based solutions?
Note: I need a solution that will not effect to do changes for url patterns, as it will impact in many other modules.
Upvotes: 1
Views: 2413
Answers (2)
Reputation: 10565
Below is a sample configuration which would permit requests for signup and about:
@EnableWebSecurity
@Configuration
public class CustomWebSecurityConfigurerAdapter extends
WebSecurityConfigurerAdapter {
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) {
auth
.inMemoryAuthentication()
.withUser("user") // #1
.password("password")
.roles("USER")
.and()
.withUser("admin") // #2
.password("password")
.roles("ADMIN","USER");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeUrls()
.antMatchers("/signup","/about").permitAll();
}
}
You can refer Spring Security Java Config for detailed information.
A suggestion on your Controller. If all requests prefixed with /charity to be handled by CharityController, you can map requests in the below way:
@Controller
@RequestMapping(value="/charity")
class CharityController {
@RequestMapping(value = "/accounts", method = RequestMethod.GET)
public AccountResponseDto getAccount(HttpServletResponse response){
}
}
Update
The following should work for you.
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers(HttpMethod.POST, new String [] {"/charity/accounts", "/charity/people"}).permitAll();
}
Upvotes: 1
Reputation: 1395
That's why we have roles,authorizations..first we can define who can GET/PUT/POST and grant authorities to the user accordingly.
Then we can annotate as @Secured("ROLE_ADMIN") on GET/PUT/POST methods accordingly.
To unsecure GET, you can add @PreAuthorize("isAnonymous()") or @Secured("MY_CUSTOM_ANONYM_ROLE")
Upvotes: 4
Related Questions
- Remove spring security role
- Set one method to be not secured Spring Security
- Secure MVC Controller methods with @Secured annotation
- spring not enforcing method security annotations
- Spring security. Annotation secured doesn't work
- Spring Security allowing unauthorized access to secured method
- Spring Security: move method security annotations out of code
- Spring Security Method Security Annotations
- Spring Security - how I can enable Method Security annotations?
- Securing Methods with Spring Security