Reputation: 369
Access control to rest services with spring-boot
I played a bit with spring-boot security. And I use mongodb, spring-boot-starter-data-rest, spring-boot-starter-security and spring-boot-starter-web. I used possibilities that automatic expos repository like REST service. I have two repositories users and customers. Users repository is for accounts. After extended WebSecurityConfigurerAdapter like this:
@Override
protected void configure(HttpSecurity http) throws Exception {
super.configure(http);
http.authorizeRequests()
.antMatchers("/users/**")
.hasRole("ADMIN").antMatchers("/", "/customers")
.hasRole("USER")
.anyRequest().authenticated()
.and()
.formLogin().permitAll();
}
A can not control access to /users/ page with users where they have ADMIN role. I got authentication when accessing to service but every user wit every roles can access everywhere. What should be configured yet?
Upvotes: 0
Views: 4441
Answers (1)
Reputation: 24581
This sounds like you need to take a look at Method Security Expressions features of Spring Security. Especially annotations @PreAuthorize/@PostAuthorize.
Upvotes: 1
Related Questions
- Spring Security - Authrozation on rest apis
- How to secure REST API with Spring Boot and Spring Security?
- How to use spring security in each REST call in Spring Boot?
- How to make spring-boot REST service with security?
- Custom access control to REST endpoints in a Spring Boot application
- Rest authentication with spring security and mongodb
- Implement Spring Security for Rest Api
- Spring Boot security for rest
- Spring-Boot adding basic http security to REST service
- Configure Security at Spring Boot