java - Method Based Authorization at Spring Boot -

-

i have methods published rest services. want apply basic authorization security on 1 method lest "gpnfeedback". not want apply authorization on sendgpn how can configure securityconfig.java? have used following configration still having authorzation error when callling http://localhost:7071/gpns/rest/sendgpn

controller 

@controller @requestmapping("/gpns/rest/") public class gpnsrestcontroller {     @crossorigin    @requestmapping(value = "/sendgpn", method = requestmethod.post, produces = mediatype.application_json_value, consumes = { mediatype.multipart_form_data_value, mediatype.application_json_value })    public @responsebody    gpnsresponse sendgpn(@valid @requestpart(value = "data", required = true) sendgpnmessagemsisdnlistreq sendgpnmessagemsisdnlistreq, @valid @modelattribute(value = "photo") multipartfile photo, @valid @modelattribute(value = "video") multipartfile video,          @valid @modelattribute(value = "videothumbnail") multipartfile videothumbnail) {     }     @requestmapping(method = requestmethod.post, value = "/gpnfeedback", consumes = mediatype.application_json_value, produces = mediatype.application_json_value)    public @responsebody    gpnsresponse gpnfeedback(httpservletrequest http, @valid @requestbody gpnfeedbackreq gpnfeedbackreq) {    }   }

security 

@configuration @enablewebsecurity(debug = true) @enableglobalmethodsecurity(securedenabled = true) public class securityconfig extends websecurityconfigureradapter {     public static final string role_client = "client_user";    @autowired   private databaseauthenticationprovider databaseauthenticationprovider;    @autowired   private gpnbasicauthenticationentrypoint basicauthenticationentrypoint;     @override    public void configure(websecurity web) throws exception {    web.ignoring().antmatchers("/soap/lb/**");    }    @override   protected void configure(httpsecurity http) throws exception {      http.csrf().disable();     http.httpbasic().authenticationentrypoint(this.basicauthenticationentrypoint);     http.sessionmanagement().sessioncreationpolicy(sessioncreationpolicy.stateless);       // @formatter:off     http.authorizerequests()       .antmatchers("/gpns/rest/gpnfeedback/**").hasrole(role_client)                  .anyrequest().authenticated().and().httpbasic();      // @formatter:on   }    @override   protected void configure(authenticationmanagerbuilder builder) throws exception {      //will invoked in given order      builder.authenticationprovider(this.databaseauthenticationprovider);    }  }

update-1: have changed rules following one. althout can send http://localhost:7071/gpns/rest/sendgpn method without authorization, http://localhost:7071/gpns/rest/gpnfeedback not hanled databaseauthenticationprovider 

http.authorizerequests()       .antmatchers("/gpns/rest/gpnfeedback/**").hasrole(role_client)         .antmatchers("/gpns/rest/sendgpn/**").permitall()                 .anyrequest().authenticated().and().httpbasic();

i think issue related line in configuration:

.anyrequest().authenticated().and().httpbasic();

basically, you're saying here every request (aside ignored on) has authenticated don't care roles has. try using 1 instead:

.anyrequest().permitall().and().httpbasic()

alternatively, if wish permit sendgpn, use this:

http.authorizerequests()       .antmatchers("/gpns/rest/gpnfeedback/**").hasrole(role_client)         .antmatchers("/gpns/rest/sendgpn/**").permitall()                 .anyrequest().authenticated().and().httpbasic();

edit update, guess you've somehow misconfigured provided or have incorrect data in db. instance if role_client has value of "client" spring expect value in db "role_client" - adds "role_" prefix roles.


Comments

Post a Comment

Popular posts from this blog

magento2 - Magento 2 admin grid add filter to collection -

-
i created grid in admin xml ui components. need filter collection via url parameter , dont know how achieve that. tried inject requestinterface collection, filter didnt work. di.xml <virtualtype name="slidelistingdataprovider" type="magento\framework\view\element\uicomponent\dataprovider\dataprovider"> <arguments> <argument name="collection" xsi:type="object" shared="false">xxx\xxx\model\resourcemodel\grid\slide\collection</argument> <argument name="filterpool" xsi:type="object" shared="false">slidelistingfilterpool</argument> <!-- define new object filters --> </arguments> </virtualtype> <virtualtype name="slidelistingfilterpool" type="magento\framework\view\element\uicomponent\dataprovider\filterpool"> <arguments> <argument name="applier
Read more

Android volley - avoid multiple requests of the same kind to the server? -

-
i using volley upload list of images server. happens within service. once image uploaded remove list. problem arises when internet connection breaks. when internet connection breaks , comes again thinking of adding images yet uploaded request queue. this can result in more 1 copy of same image saved on server request same image might have gone through before getting rseponse. how can address scenario? i'm not quite sure why you're using service schedule requests volley automatically runs it's request in seperate thread. nevertheless can listen both request results, successful , unsuccessful adding listeners. you can remove image list schedule request using volley. if succeeds can carry on desired, if fails can add again list. public static request getimageuploadrequest(final string image) { response.listener<t> responselistener = new response.listener<t>() { @override public void onresponse(t response
Read more

Combining PHP Registration and Login into one class with multiple functions in one PHP file -

-
i'm trying combine registration, activation , login scripts php website backend script front end developer can pass variables different forms to. my question whether appropriate approach this. don't want have lot of php files different pieces of application developing. far have written following 2 functions login, register , activate user front end developer can call: <?php /** * created phpstorm. * user: karl * date: 26/07/2016 * time: 02:25 */ class users { function register_user($email, $password, $user_name) { $server_name = "localhost"; $u_name = "root"; $db_password = "root"; $db_name = "betamath_graspe"; //email notification variable $from_address="info@slack.com"; //registration form $msg_reg_user='username taken. please choose different username'; $msg_reg_email='email registered'; $msg_reg_active=&#
Read more