spring-security/docs/modules/ROOT/pages/servlet/authorization/authorize-requests.adoc

[[servlet-authorization-filtersecurityinterceptor]]
= Authorize HttpServletRequest with FilterSecurityInterceptor
:figures: servlet/authorization

This section builds on xref:servlet/architecture/index.adoc#servlet-architecture[Servlet Architecture and Implementation] by digging deeper into how xref:servlet/authorization/index.adoc#servlet-authorization[authorization] works within Servlet based applications.

The {security-api-url}org/springframework/security/web/access/intercept/FilterSecurityInterceptor.html[`FilterSecurityInterceptor`] provides xref:servlet/authorization/index.adoc#servlet-authorization[authorization] for ``HttpServletRequest``s.
It is inserted into the xref:servlet/architecture/index.adoc#servlet-filterchainproxy[FilterChainProxy] as one of the xref:servlet/architecture/index.adoc#servlet-security-filters[Security Filters].

.Authorize HttpServletRequest
image::{figures}/filtersecurityinterceptor.png[]

* image:{icondir}/number_1.png[] First, the `FilterSecurityInterceptor` obtains an  xref:servlet/authentication/architecture/index.adoc#servlet-authentication-authentication[Authentication] from the xref:servlet/authentication/architecture/index.adoc#servlet-authentication-securitycontextholder[SecurityContextHolder].
* image:{icondir}/number_2.png[] Second, `FilterSecurityInterceptor` creates a {security-api-url}org/springframework/security/web/FilterInvocation.html[`FilterInvocation`] from the `HttpServletRequest`, `HttpServletResponse`, and `FilterChain` that are passed into the `FilterSecurityInterceptor`.
// FIXME: link to FilterInvocation
* image:{icondir}/number_3.png[] Next, it passes the `FilterInvocation` to `SecurityMetadataSource` to get the ``ConfigAttribute``s.
* image:{icondir}/number_4.png[] Finally, it passes the `Authentication`, `FilterInvocation`, and ``ConfigAttribute``s to the `AccessDecisionManager`.
** image:{icondir}/number_5.png[] If authorization is denied, an `AccessDeniedException` is thrown.
In this case the xref:servlet/architecture/index.adoc#servlet-exceptiontranslationfilter[`ExceptionTranslationFilter`] handles the `AccessDeniedException`.
** image:{icondir}/number_6.png[] If access is granted, `FilterSecurityInterceptor` continues with the xref:servlet/architecture/index.adoc#servlet-filters-review[FilterChain] which allows the application to process normally.

// configuration (xml/java)

By default, Spring Security's authorization will require all requests to be authenticated.
The explicit configuration looks like:

.Every Request Must be Authenticated
====
.Java
[source,java,role="primary"]
----
protected void configure(HttpSecurity http) throws Exception {
	http
		// ...
		.authorizeRequests(authorize -> authorize
			.anyRequest().authenticated()
		);
}
----

.XML
[source,xml,role="secondary"]
----
<http>
	<!-- ... -->
	<intercept-url pattern="/**" access="authenticated"/>
</http>
----

.Kotlin
[source,kotlin,role="secondary"]
----
fun configure(http: HttpSecurity) {
    http {
        // ...
        authorizeRequests {
            authorize(anyRequest, authenticated)
        }
    }
}
----
====

We can configure Spring Security to have different rules by adding more rules in order of precedence.

.Authorize Requests
====
.Java
[source,java,role="primary"]
----
protected void configure(HttpSecurity http) throws Exception {
	http
		// ...
		.authorizeRequests(authorize -> authorize                                  // <1>
			.mvcMatchers("/resources/**", "/signup", "/about").permitAll()         // <2>
			.mvcMatchers("/admin/**").hasRole("ADMIN")                             // <3>
			.mvcMatchers("/db/**").access("hasRole('ADMIN') and hasRole('DBA')")   // <4>
			.anyRequest().denyAll()                                                // <5>
		);
}
----

.XML
[source,xml,role="secondary"]
----
<http> <!--1-->
	<!-- ... -->
	<!--2-->
	<intercept-url pattern="/resources/**" access="permitAll"/>
	<intercept-url pattern="/signup" access="permitAll"/>
	<intercept-url pattern="/about" access="permitAll"/>

	<intercept-url pattern="/admin/**" access="hasRole('ADMIN')"/> <!--3-->
	<intercept-url pattern="/db/**" access="hasRole('ADMIN') and hasRole('DBA')"/> <!--4-->
	<intercept-url pattern="/**" access="denyAll"/> <!--5-->
</http>
----

.Kotlin
[source,kotlin,role="secondary"]
----
fun configure(http: HttpSecurity) {
   http {
        authorizeRequests { // <1>
            authorize("/resources/**", permitAll) // <2>
            authorize("/signup", permitAll)
            authorize("/about", permitAll)

            authorize("/admin/**", hasRole("ADMIN")) // <3>
            authorize("/db/**", "hasRole('ADMIN') and hasRole('DBA')") // <4>
            authorize(anyRequest, denyAll) // <5>
        }
    }
}
----
====
<1> There are multiple authorization rules specified.
Each rule is considered in the order they were declared.
<2> We specified multiple URL patterns that any user can access.
Specifically, any user can access a request if the URL starts with "/resources/", equals "/signup", or equals "/about".
<3> Any URL that starts with "/admin/" will be restricted to users who have the role "ROLE_ADMIN".
You will notice that since we are invoking the `hasRole` method we do not need to specify the "ROLE_" prefix.
<4> Any URL that starts with "/db/" requires the user to have both "ROLE_ADMIN" and "ROLE_DBA".
You will notice that since we are using the `hasRole` expression we do not need to specify the "ROLE_" prefix.
<5> Any URL that has not already been matched on is denied access.
This is a good strategy if you do not want to accidentally forget to update your authorization rules.
Extract FilterSecurityInterceptor Docs Closes gh-8001 2020-02-20 15:32:20 -05:00			`[[servlet-authorization-filtersecurityinterceptor]]`
			`= Authorize HttpServletRequest with FilterSecurityInterceptor`
Fix images - Move images into assets/ - Remove figures form antora.yml - Add :figures: to each page that uses it 2021-07-30 16:07:36 -04:00			`:figures: servlet/authorization`
Restructure Docs Issue gh-5935 2019-09-22 02:56:30 -04:00
mkdir -p build/ids find -name ".adoc" \| xargs -I{file} awk -v file={file} '/\[\[/ { gsub("\[\|\]", ""); id=$0; gsub("./docs/modules/ROOT/pages/", "", file); gsub("\[\|\]", ""); id=$0;getline;text=$0; sub("^=+ ","", text); print file > "build/ids/"id".id"; print text > "build/ids/"id".text" }' {file} find docs/modules -name ".adoc"\|while read adoc_file_to_replace; do echo "Replacing $adoc_file_to_replace" for id_file in build/ids/*.id; do id=$(basename $id_file \| sed 's/\.id$//') xref_page=$(cat $id_file) if [[ "$adoc_file_to_replace" -ef "./docs/modules/ROOT/pages/$xref_page" ]] then echo " - Skipping same page refid $id " else sed -i -E "s%<<$id(\|,([^,>]+))>>%xref:${xref_page}#${id}[\2]%g" $adoc_file_to_replace fi done done 2021-07-30 17:56:54 -04:00			`This section builds on xref:servlet/architecture/index.adoc#servlet-architecture[Servlet Architecture and Implementation] by digging deeper into how xref:servlet/authorization/index.adoc#servlet-authorization[authorization] works within Servlet based applications.`
Restructure Docs Issue gh-5935 2019-09-22 02:56:30 -04:00
mkdir -p build/ids find -name ".adoc" \| xargs -I{file} awk -v file={file} '/\[\[/ { gsub("\[\|\]", ""); id=$0; gsub("./docs/modules/ROOT/pages/", "", file); gsub("\[\|\]", ""); id=$0;getline;text=$0; sub("^=+ ","", text); print file > "build/ids/"id".id"; print text > "build/ids/"id".text" }' {file} find docs/modules -name ".adoc"\|while read adoc_file_to_replace; do echo "Replacing $adoc_file_to_replace" for id_file in build/ids/*.id; do id=$(basename $id_file \| sed 's/\.id$//') xref_page=$(cat $id_file) if [[ "$adoc_file_to_replace" -ef "./docs/modules/ROOT/pages/$xref_page" ]] then echo " - Skipping same page refid $id " else sed -i -E "s%<<$id(\|,([^,>]+))>>%xref:${xref_page}#${id}[\2]%g" $adoc_file_to_replace fi done done 2021-07-30 17:56:54 -04:00			The {security-api-url}org/springframework/security/web/access/intercept/FilterSecurityInterceptor.html[`FilterSecurityInterceptor`] provides xref:servlet/authorization/index.adoc#servlet-authorization[authorization] for ``HttpServletRequest``s.
rg "xref:\S+?#\S+\[\]" docs/modules -l -g ".adoc" \| while read adoc_file_to_replace; do echo "Replacing $adoc_file_to_replace" for id_file in build/ids/.id; do id=$(basename $id_file \| sed 's/\.id$//') xref_page=$(cat $id_file) if [[ "$adoc_file_to_replace" -ef "./docs/modules/ROOT/pages/$xref_page" ]] then echo " - Skipping same page refid $id " else text_file=$(echo $id_file \| sed 's/\.id$/.text/') default_text=$(cat $text_file) sed -i -E "s%xref:${xref_page}#${id}\[\]%xref:${xref_page}#${id}[$default_text]%g" $adoc_file_to_replace fi done done 2021-07-30 18:02:44 -04:00			`It is inserted into the xref:servlet/architecture/index.adoc#servlet-filterchainproxy[FilterChainProxy] as one of the xref:servlet/architecture/index.adoc#servlet-security-filters[Security Filters].`
Extract FilterSecurityInterceptor Docs Closes gh-8001 2020-02-20 15:32:20 -05:00
			`.Authorize HttpServletRequest`
			`image::{figures}/filtersecurityinterceptor.png[]`

rg "xref:\S+?#\S+\[\]" docs/modules -l -g ".adoc" \| while read adoc_file_to_replace; do echo "Replacing $adoc_file_to_replace" for id_file in build/ids/.id; do id=$(basename $id_file \| sed 's/\.id$//') xref_page=$(cat $id_file) if [[ "$adoc_file_to_replace" -ef "./docs/modules/ROOT/pages/$xref_page" ]] then echo " - Skipping same page refid $id " else text_file=$(echo $id_file \| sed 's/\.id$/.text/') default_text=$(cat $text_file) sed -i -E "s%xref:${xref_page}#${id}\[\]%xref:${xref_page}#${id}[$default_text]%g" $adoc_file_to_replace fi done done 2021-07-30 18:02:44 -04:00			* image:{icondir}/number_1.png[] First, the `FilterSecurityInterceptor` obtains an xref:servlet/authentication/architecture/index.adoc#servlet-authentication-authentication[Authentication] from the xref:servlet/authentication/architecture/index.adoc#servlet-authentication-securitycontextholder[SecurityContextHolder].
Extract FilterSecurityInterceptor Docs Closes gh-8001 2020-02-20 15:32:20 -05:00			* image:{icondir}/number_2.png[] Second, `FilterSecurityInterceptor` creates a {security-api-url}org/springframework/security/web/FilterInvocation.html[`FilterInvocation`] from the `HttpServletRequest`, `HttpServletResponse`, and `FilterChain` that are passed into the `FilterSecurityInterceptor`.
			`// FIXME: link to FilterInvocation`
			* image:{icondir}/number_3.png[] Next, it passes the `FilterInvocation` to `SecurityMetadataSource` to get the ``ConfigAttribute``s.
			* image:{icondir}/number_4.png[] Finally, it passes the `Authentication`, `FilterInvocation`, and ``ConfigAttribute``s to the `AccessDecisionManager`.
			** image:{icondir}/number_5.png[] If authorization is denied, an `AccessDeniedException` is thrown.
mkdir -p build/ids find -name ".adoc" \| xargs -I{file} awk -v file={file} '/\[\[/ { gsub("\[\|\]", ""); id=$0; gsub("./docs/modules/ROOT/pages/", "", file); gsub("\[\|\]", ""); id=$0;getline;text=$0; sub("^=+ ","", text); print file > "build/ids/"id".id"; print text > "build/ids/"id".text" }' {file} find docs/modules -name ".adoc"\|while read adoc_file_to_replace; do echo "Replacing $adoc_file_to_replace" for id_file in build/ids/*.id; do id=$(basename $id_file \| sed 's/\.id$//') xref_page=$(cat $id_file) if [[ "$adoc_file_to_replace" -ef "./docs/modules/ROOT/pages/$xref_page" ]] then echo " - Skipping same page refid $id " else sed -i -E "s%<<$id(\|,([^,>]+))>>%xref:${xref_page}#${id}[\2]%g" $adoc_file_to_replace fi done done 2021-07-30 17:56:54 -04:00			In this case the xref:servlet/architecture/index.adoc#servlet-exceptiontranslationfilter[`ExceptionTranslationFilter`] handles the `AccessDeniedException`.
			** image:{icondir}/number_6.png[] If access is granted, `FilterSecurityInterceptor` continues with the xref:servlet/architecture/index.adoc#servlet-filters-review[FilterChain] which allows the application to process normally.
Extract FilterSecurityInterceptor Docs Closes gh-8001 2020-02-20 15:32:20 -05:00
			`// configuration (xml/java)`

			`By default, Spring Security's authorization will require all requests to be authenticated.`
			`The explicit configuration looks like:`

			`.Every Request Must be Authenticated`
			`====`
			`.Java`
			`[source,java,role="primary"]`
			`----`
			`protected void configure(HttpSecurity http) throws Exception {`
			`http`
			`// ...`
			`.authorizeRequests(authorize -> authorize`
			`.anyRequest().authenticated()`
			`);`
			`}`
			`----`

			`.XML`
			`[source,xml,role="secondary"]`
			`----`
			`<http>`
			`<!-- ... -->`
			`<intercept-url pattern="/**" access="authenticated"/>`
			`</http>`
			`----`
Add Kotlin samples to docs Issue: gh-5558 2020-02-26 10:11:24 -05:00
			`.Kotlin`
			`[source,kotlin,role="secondary"]`
			`----`
			`fun configure(http: HttpSecurity) {`
			`http {`
			`// ...`
			`authorizeRequests {`
			`authorize(anyRequest, authenticated)`
			`}`
			`}`
			`}`
			`----`
Extract FilterSecurityInterceptor Docs Closes gh-8001 2020-02-20 15:32:20 -05:00			`====`

			`We can configure Spring Security to have different rules by adding more rules in order of precedence.`

			`.Authorize Requests`
			`====`
			`.Java`
			`[source,java,role="primary"]`
Restructure Docs Issue gh-5935 2019-09-22 02:56:30 -04:00			`----`
			`protected void configure(HttpSecurity http) throws Exception {`
			`http`
Extract FilterSecurityInterceptor Docs Closes gh-8001 2020-02-20 15:32:20 -05:00			`// ...`
Use standard lambda syntax in documentation Fixes: gh-7774 2020-01-10 07:10:36 -05:00			`.authorizeRequests(authorize -> authorize // <1>`
Extract FilterSecurityInterceptor Docs Closes gh-8001 2020-02-20 15:32:20 -05:00			`.mvcMatchers("/resources/**", "/signup", "/about").permitAll() // <2>`
			`.mvcMatchers("/admin/**").hasRole("ADMIN") // <3>`
			`.mvcMatchers("/db/**").access("hasRole('ADMIN') and hasRole('DBA')") // <4>`
			`.anyRequest().denyAll() // <5>`
			`);`
Restructure Docs Issue gh-5935 2019-09-22 02:56:30 -04:00			`}`
			`----`

Extract FilterSecurityInterceptor Docs Closes gh-8001 2020-02-20 15:32:20 -05:00			`.XML`
			`[source,xml,role="secondary"]`
			`----`
			`<http> <!--1-->`
			`<!-- ... -->`
			`<!--2-->`
			`<intercept-url pattern="/resources/**" access="permitAll"/>`
			`<intercept-url pattern="/signup" access="permitAll"/>`
			`<intercept-url pattern="/about" access="permitAll"/>`

			`<intercept-url pattern="/admin/**" access="hasRole('ADMIN')"/> <!--3-->`
			`<intercept-url pattern="/db/**" access="hasRole('ADMIN') and hasRole('DBA')"/> <!--4-->`
			`<intercept-url pattern="/**" access="denyAll"/> <!--5-->`
			`</http>`
			`----`
Add Kotlin samples to docs Issue: gh-5558 2020-02-26 10:11:24 -05:00
			`.Kotlin`
			`[source,kotlin,role="secondary"]`
			`----`
			`fun configure(http: HttpSecurity) {`
			`http {`
			`authorizeRequests { // <1>`
			`authorize("/resources/**", permitAll) // <2>`
			`authorize("/signup", permitAll)`
			`authorize("/about", permitAll)`

			`authorize("/admin/**", hasRole("ADMIN")) // <3>`
			`authorize("/db/**", "hasRole('ADMIN') and hasRole('DBA')") // <4>`
			`authorize(anyRequest, denyAll) // <5>`
			`}`
			`}`
			`}`
			`----`
Extract FilterSecurityInterceptor Docs Closes gh-8001 2020-02-20 15:32:20 -05:00			`====`
			`<1> There are multiple authorization rules specified.`
			`Each rule is considered in the order they were declared.`
Restructure Docs Issue gh-5935 2019-09-22 02:56:30 -04:00			`<2> We specified multiple URL patterns that any user can access.`
			`Specifically, any user can access a request if the URL starts with "/resources/", equals "/signup", or equals "/about".`
			`<3> Any URL that starts with "/admin/" will be restricted to users who have the role "ROLE_ADMIN".`
			You will notice that since we are invoking the `hasRole` method we do not need to specify the "ROLE_" prefix.
			`<4> Any URL that starts with "/db/" requires the user to have both "ROLE_ADMIN" and "ROLE_DBA".`
			You will notice that since we are using the `hasRole` expression we do not need to specify the "ROLE_" prefix.
Extract FilterSecurityInterceptor Docs Closes gh-8001 2020-02-20 15:32:20 -05:00			`<5> Any URL that has not already been matched on is denied access.`
			`This is a good strategy if you do not want to accidentally forget to update your authorization rules.`