Reputation: 1
Disable Http-methods on Spring Security
I am a little new to Spring security and need help to where I can disable the http methods such as OPTIONS, PUT or DELETE.
Upvotes: 0
Views: 2407
Answers (2)
Reputation: 12023
Spring interceptor url provides a method parameter, the down size is that it permits only a single method to specify.
You may overcome this by specifing few interceptor-url item for the same pattern
<http auto-config="true" use-expressions="true" >
<intercept-url pattern="/login " access="permitAll" />
<intercept-url pattern="/**" access=" hasRole('ROLE_ADMIN')" method="GET" />
<intercept-url pattern="/**" access=" hasRole('ROLE_ADMIN')" method="POST" />
</http>
A different alternative is to write your own spring-security-expression e.g. isPermitedMethod the following blog may help.
Upvotes: 1
Reputation: 1650
Why don't you just have a controller methods which only allows GET? Any other HTTP methods will be rejected automatically.
@Controller
@RequestMapping("/releaseupdates")
public class ReleaseUpdateController {
@RequestMapping(method=RequestMethod.GET)
public String getRequest() {
//do something, only accepts GET
}
}
If you want to allow the other methods but only to a specific user/role, then you can configure those fine grained settings in a similar way to this: https://www.mkyong.com/spring-security/spring-security-custom-login-form-annotation-example/
Upvotes: 0
Related Questions
- How to disable spring security for particular url
- Disable Spring Security for OPTIONS Http Method
- Disable HTTP OPTIONS method in spring boot application
- Restrict HTTP methods (only GET and POST) in Spring Web application
- spring-boot disable HTTP methods
- Spring Security disable security for requests made FROM a certain url
- Set one method to be not secured Spring Security
- Prevents HTTP method in spring-data-rest
- security:http in spring security configuration?
- Disable Spring Security Basic Login - Spring REST web service