CODEWITHSUNDEEP
springspring-security
Codemaster
Codemaster

Reputation: 184

Spring security - How to use role based authentication for different domains?

There is a project with Spring boot back-end on running on localhost:8080 and 2 front-end angular applications on localhost:4200 (User website) and localhost:4201(Admin website).How can i configure spring security so that it allows only users with role - ROLE_USER,ROLE_ADMIN in User website and users with role -ROLE_ADMIN should have access to Admin Website.

Currently both users are able to access both wesbite.Is there any way to restrict certain domains rather restricting paths(URLs) to users.

Current config -

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter{
    
    @Autowired
    Environment env; 

    @Autowired
    UserSecurityService useSecurityService;
    
    private BCryptPasswordEncoder passwordEncoder() {
        return SecurityUtility.passwordEncoder();
    }
    
    private static final String[] PUBLIC_MATHCES= {
            "/css/**",
            "/js/**",
            "/images/**",
            "/book/**",
            "/user/**",
            "/media/**"
    };

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.userDetailsService(useSecurityService).passwordEncoder(passwordEncoder());
        
        
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()
            .antMatchers(PUBLIC_MATHCES).permitAll()
            .anyRequest().authenticated()
            .and();
        http.csrf().disable()
            .cors()
            .and()
            .httpBasic();
        
    }
     
      @Bean
      public HttpSessionIdResolver httpSessionStrategy() {
          return  HeaderHttpSessionIdResolver.xAuthToken();
      }
      
        
    
}

Upvotes: 1

Views: 634

Answers (1)

Mahmoud Odeh
Mahmoud Odeh

Reputation: 950

suppose all of your configurations configured properly, then you can make use of the role restriction mechanism as the below sample :

@Override
protected void configure(HttpSecurity http) throws Exception {

    http
        .authorizeRequests(authorize - > {
            authorize
            .antMatchers("/h2-console/**").permitAll() //do not use in production!
            .antMatchers("/css/**", "/js/**", "/images/**", "/book/**", "/user/**", "/media/**").permitAll()
            .antMatchers("/website/find", "/main*").permitAll()
            .antMatchers(HttpMethod.GET, "/userweb/v1/data/**").permitAll()
            .mvcMatchers(HttpMethod.DELETE, "/userweb/v1/info/**").hasRole("ADMIN")
            .mvcMatchers(HttpMethod.GET, "/userweb/v1/item/{upc}").permitAll()
            .mvcMatchers("/admin/main").hasAnyRole("USER", "ADMIN")
            .mvcMatchers(HttpMethod.GET, "/user/api/v1/normal")
            .hasAnyRole("USER", "ADMIN", "FOO");
        })
        .authorizeRequests()
        .anyRequest().authenticated()
        .and()
        .cors()
        .and()
        .httpBasic()
        .and().csrf().disable();
}

Upvotes: 2

Related Questions