sumit sinha
Reputation: 3
Allow access to user in Spring Security if he has both roles
I am using Spring Security for providing access to users of my application. For single role I am using like this:
<security:intercept-url pattern="/rest/Admin" access="hasAuthority('Admin')" />
I want to provide access to user for a particular URL if he has both role of Admin and Employee but I am not sure how to do this.
Upvotes: 0
Views: 292
Answers (1)
jlumietu
Reputation: 6444
According to Spring Security Reference:
To use expressions to secure individual URLs, you would first need to set the
use-expressionsattribute in the<http>element totrue. Spring Security will then expect theaccessattributes of the<intercept-url>elements to contain Spring EL expressions. The expressions should evaluate to a Boolean, defining whether access should be allowed or not. For example:<http> <intercept-url pattern="/admin*" access="hasRole('admin') and hasIpAddress('192.168.1.0/24')"/> ... </http>
So, you should try using:
<security:intercept-url pattern="/rest/Admin"
access="hasAuthority('Admin') and hasAuthority('Employee')" />
Upvotes: 2
Related Questions
- Spring Switching User: only allow a user with a specific role switch to another user with specific roles
- Spring security access with multiple roles
- Spring security : Multiple roles for a single user
- Spring Security two roles implementation
- SecurityConfig for two Roles
- Allowing access for specific users in Spring Security
- Spring Security: separating controller by user role
- Spring Security one role different permissions
- spring security 3 - restrict role access to actual user
- denying access for multiple users of same role in spring security