Reputation: 217
Spring security: deny access to resource to specific role
Im programming a collection of rest web services with Spring, but cant configure it with Spring security for certain logic. I have these types of resources:
- Resources which can be accessed without being authenticated
- Resources accessible only to certain roles
- Resources NOT accessible to certain roles
I have a problem with the last requirement. I have tried the following:
http
.authorizeRequests()
.antMatchers("/resource1").permitAll()
.antMatchers(HttpMethod.GET, "/resource2").hasAnyAuthority("ROLE_USER", "ROLE_ADMIN")
.antMatchers(HttpMethod.GET, "/resource3").hasAuthority("ROLE_ADMIN")
.antMatchers(HttpMethod.GET, "/resource4").not().hasAuthority("ROLE_USER")
.anyRequest().fullyAuthenticated()
.and().requestCache().requestCache(new NullRequestCache())
.and().httpBasic().authenticationEntryPoint(authenticationEntryPoint)
.and().csrf().disable();
This code is the most similar to what I need:
- Everyone can access "resource1" even non-authenticated users
- Only roles USER and ADMIN can access resource2
- Only roles ADMIN can access resource3
BUT, the problem is on "resource4"... if the user is authenticated, everything works fine (only users without any role USER can access the resource)... the problem is that Spring permits access to non-authentitcated users (as I suppose it considers they don't belong to the rule USER, which is correct)
Any idea on how to configure a resource as not being accessible for certain roles, BUT having to be authenticated?
Upvotes: 1
Views: 4796
Answers (1)
Reputation: 6936
you could use .access(String expression) it allows specifying that URLs are secured by an arbitrary expression
with expression = "not( hasRole('USER') ) and isAuthenticated()"
resulting in
http
.authorizeRequests()
.antMatchers("/resource1").permitAll()
.antMatchers(HttpMethod.GET, "/resource2").hasAnyAuthority("ROLE_USER", "ROLE_ADMIN")
.antMatchers(HttpMethod.GET, "/resource3").hasAuthority("ROLE_ADMIN")
.antMatchers(HttpMethod.GET,"/resource4").access("not( hasRole('USER') ) and isAuthenticated()")
Upvotes: 4
Related Questions
- Spring Security Limiting URL access by roles
- Spring security, how to restrict user access certain resources based on dynamic roles?
- User can access resource even if he's not part of "@Secured([role])"
- How to properly restrict access based on roles to API's with spring security?
- spring security is not filtering access to resources based on roles
- Spring Security one role different permissions
- What is the correct approach for denying access to specific resources in spring MVC + security
- spring security 3 - restrict role access to actual user
- Role-based access denial handling in Spring Security - how to?
- Spring Security Access role