Reputation: 7186
How to secure dynamic resources in Spring Boot?
In my Spring Boot application, user images are saved in the file system and added the path in resource handlers as
registry.addResourceHandler("/uploads/**").addResourceLocations("file:/home/imgs/profiles/");
I have added JWT security for some of the rest services along with /uploads/**
as .antMatchers("/uploads/**").permitAll().anyRequest().authenticated()
but this /uploads/** is not checking for security. it is accepting requests from postman without auth token
The path to the resource is as follows:
http://localhost:8080/myapp/uploads/1302caa0-570d-46ed-ae69-372b48c58a3a/74b780b573f149709776e800a659c83e.jpg
How can I configure security for this dynamic resource?
Upvotes: 0
Views: 237
Answers (1)
Reputation: 684
According to you configuration you have permitted access to all for user images.
If you to restrict access to only authenticated users, you can just use following configuration:
.anyRequest().authenticated()
If you want more granular control for images security, you can use following configuration(for example):
.antMatchers("/uploads/**")
.hasRole("IMAGE_USER_ROLE")
.anyRequest()
.authenticated()
Upvotes: 1
Related Questions
- How should a user-specific resource be protected using spring boot security?
- How to fix access to resources using spring security?
- Spring security Dynamic authorization
- Spring security, how to restrict user access certain resources based on dynamic roles?
- How to add security to spring based rest api's and static content
- Spring MVC & Security - Identification of protected resource during authorization
- What is the correct approach for denying access to specific resources in spring MVC + security
- Authorization Before Accessing Static Resources In Spring Web App
- Spring - How to protect RESTful private resources?
- How to secure access to static resources in Spring