Sony
Sony

Reputation: 7186

How to secure dynamic resources in Spring Boot?

In my Spring Boot application, user images are saved in the file system and added the path in resource handlers as

registry.addResourceHandler("/uploads/**").addResourceLocations("file:/home/imgs/profiles/");

I have added JWT security for some of the rest services along with /uploads/** as .antMatchers("/uploads/**").permitAll().anyRequest().authenticated()

but this /uploads/** is not checking for security. it is accepting requests from postman without auth token

The path to the resource is as follows:

http://localhost:8080/myapp/uploads/1302caa0-570d-46ed-ae69-372b48c58a3a/74b780b573f149709776e800a659c83e.jpg

How can I configure security for this dynamic resource?

Upvotes: 0

Views: 237

Answers (1)

Evgeniy Strepetov
Evgeniy Strepetov

Reputation: 684

According to you configuration you have permitted access to all for user images.

If you to restrict access to only authenticated users, you can just use following configuration:

.anyRequest().authenticated()

If you want more granular control for images security, you can use following configuration(for example):

.antMatchers("/uploads/**")
.hasRole("IMAGE_USER_ROLE")
.anyRequest()
.authenticated()

Upvotes: 1

Related Questions