Using Spring Security, how can I use HTTP methods (e.g. GET, PUT, POST) to distingush security for particular URL patterns?

N

2

20

The Spring Security reference states:

You can use multiple elements to define different access requirements for different sets of URLs, but they will be evaluated in the order listed and the first match will be used. So you must put the most specific matches at the top. You can also add a method attribute to limit the match to a particular HTTP method (GET, POST, PUT etc.). If a request matches multiple patterns, the method-specific match will take precedence regardless of ordering.

How can I configure Spring Security so that access to particular URL patterns are secured differently depending on the HTTP method used to access the URL pattern?

Newmarket answered 8/9, 2011 at 11:15 Comment(0)

A

28

This is only about configuration. It says that the <intercept-url> elements will be evaluated from top to bottom in your <http /> tag of your configuration file:

<http auto-config="true">
    <intercept-url pattern="/**" access="isAuthenticated" />
    <intercept-url pattern="/login.jsp" access="permitAll" />
</http>

In the above example, we're trying to allow only authenticated users access everything, except, of course, the login page (the user must first log in, right?!). But this, according to the documentation, won't work, because the less specific match are on top. So, (one of) the right configuration to accomplish this example's objective is:

<http auto-config="true">
    <intercept-url pattern="/login.jsp" access="permitAll" />
    <intercept-url pattern="/**" access="isAuthenticated" />
</http>

Placing the more specific match on top.

The last thing the quote says is about the HTTP method. You can use it to specify the match, so:

<http auto-config="true">
    <intercept-url pattern="/client/edit" access="isAuthenticated" method="GET" />
    <intercept-url pattern="/client/edit" access="hasRole('EDITOR')" method="POST" />
</http>

In this second example, to access /client/edit via GET the user only needs to be authenticated, but to access /client/edit via POST (lets say, submitting the edit form) the user needs to have the EDITOR role. That url pattern may be not encouraged in some places but it was just an example.

Athapaskan answered 9/9, 2011 at 13:12 Comment(0)

S

30

For those that prefer Java annotation-based configuration, drop this class into your application.

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests().antMatchers(HttpMethod.GET).permitAll();
        http.authorizeRequests().antMatchers(HttpMethod.POST).denyAll();
        http.authorizeRequests().antMatchers(HttpMethod.DELETE,"/you/can/alsoSpecifyAPath").denyAll();
        http.authorizeRequests().antMatchers(HttpMethod.PATCH,"/path/is/Case/Insensitive").denyAll();
        http.authorizeRequests().antMatchers(HttpMethod.PUT,"/and/can/haveWildcards/*").denyAll();

    }

}

Using the following Maven dependencies (earlier versions of Spring-Security should work also):

    <dependency>
        <groupId>org.springframework.security</groupId>
        <artifactId>spring-security-web</artifactId>
        <version>5.0.0.M3</version>
    </dependency>
    <dependency>
        <groupId>org.springframework.security</groupId>
        <artifactId>spring-security-config</artifactId>
        <version>5.0.0.M3</version>
    </dependency>

Stenophagous answered 30/8, 2017 at 16:13 Comment(2)

Same goes for mvcMatchers which was added in Spring Security 4.1.1 and is considered more secure. – Weight 19/6, 2020 at 10:4

True, but do not add mvcMatchers if you are only specifying HTTP method type without the path pattern e.g. .mvcMatchers(HttpMethod.PUT).authenticated(). This will not work. Use antMatcher instead .antMatchers(HttpMethod.DELETE).authenticated() – Attractant 6/10, 2022 at 21:30

A

28