Marcus Da Coregio
parent
624fdfa731
commit
57d6ab7134
|
|
@ -205,3 +205,78 @@ open fun web(http: HttpSecurity): SecurityFilterChain {
|
|||
}
|
||||
----
|
||||
====
|
||||
|
||||
Now with the authorization rules applying to all dispatcher types, you have more control of the authorization on them.
|
||||
For example, you may want to configure `shouldFilterAllDispatcherTypes` to `true` but not apply authorization on requests with dispatcher type `ASYNC` or `FORWARD`.
|
||||
|
||||
.Permit ASYNC and FORWARD dispatcher type
|
||||
====
|
||||
.Java
|
||||
[source,java,role="primary"]
|
||||
----
|
||||
@Bean
|
||||
SecurityFilterChain web(HttpSecurity http) throws Exception {
|
||||
http
|
||||
.authorizeHttpRequests((authorize) -> authorize
|
||||
.shouldFilterAllDispatcherTypes(true)
|
||||
.dispatcherTypeMatchers(DispatcherType.ASYNC, DispatcherType.FORWARD).permitAll()
|
||||
.anyRequest().authenticated()
|
||||
)
|
||||
// ...
|
||||
|
||||
return http.build();
|
||||
}
|
||||
----
|
||||
.Kotlin
|
||||
[source,kotlin,role="secondary"]
|
||||
----
|
||||
@Bean
|
||||
open fun web(http: HttpSecurity): SecurityFilterChain {
|
||||
http {
|
||||
authorizeHttpRequests {
|
||||
shouldFilterAllDispatcherTypes = true
|
||||
authorize(DispatcherTypeRequestMatcher(DispatcherType.ASYNC, DispatcherType.FORWARD), permitAll)
|
||||
authorize(anyRequest, authenticated)
|
||||
}
|
||||
}
|
||||
return http.build()
|
||||
}
|
||||
----
|
||||
====
|
||||
|
||||
You can also customize it to require a specific role for a dispatcher type:
|
||||
|
||||
.Require ADMIN for Dispatcher Type ERROR
|
||||
====
|
||||
.Java
|
||||
[source,java,role="primary"]
|
||||
----
|
||||
@Bean
|
||||
SecurityFilterChain web(HttpSecurity http) throws Exception {
|
||||
http
|
||||
.authorizeHttpRequests((authorize) -> authorize
|
||||
.shouldFilterAllDispatcherTypes(true)
|
||||
.dispatcherTypeMatchers(DispatcherType.ERROR).hasRole("ADMIN")
|
||||
.anyRequest().authenticated()
|
||||
)
|
||||
// ...
|
||||
|
||||
return http.build();
|
||||
}
|
||||
----
|
||||
.Kotlin
|
||||
[source,kotlin,role="secondary"]
|
||||
----
|
||||
@Bean
|
||||
open fun web(http: HttpSecurity): SecurityFilterChain {
|
||||
http {
|
||||
authorizeHttpRequests {
|
||||
shouldFilterAllDispatcherTypes = true
|
||||
authorize(DispatcherTypeRequestMatcher(DispatcherType.ERROR), hasRole("ADMIN"))
|
||||
authorize(anyRequest, authenticated)
|
||||
}
|
||||
}
|
||||
return http.build()
|
||||
}
|
||||
----
|
||||
====
|
||||
|
|
|
|||
|
|
@ -137,3 +137,71 @@ You will notice that since we are invoking the `hasRole` method we do not need t
|
|||
You will notice that since we are using the `hasRole` expression we do not need to specify the "ROLE_" prefix.
|
||||
<5> Any URL that has not already been matched on is denied access.
|
||||
This is a good strategy if you do not want to accidentally forget to update your authorization rules.
|
||||
|
||||
[[filtersecurityinterceptor-every-request]]
|
||||
== Apply FilterSecurityInterceptor to every request
|
||||
|
||||
By default, the `FilterSecurityInterceptor` only applies once to a request.
|
||||
This means that if a request is dispatched from a request that was already filtered, the `FilterSecurityInterceptor` will back-off and not perform any authorization checks.
|
||||
In some scenarios, you may want to apply the filter to every request.
|
||||
You can configure Spring Security to apply the authorization rules to every request by using the `filterSecurityInterceptorOncePerRequest` method:
|
||||
|
||||
.Set filterSecurityInterceptorOncePerRequest to false
|
||||
====
|
||||
.Java
|
||||
[source,java,role="primary"]
|
||||
----
|
||||
@Bean
|
||||
SecurityFilterChain web(HttpSecurity http) throws Exception {
|
||||
http
|
||||
.authorizeRequests((authorize) -> authorize
|
||||
.filterSecurityInterceptorOncePerRequest(false)
|
||||
.anyRequest.authenticated()
|
||||
)
|
||||
// ...
|
||||
|
||||
return http.build();
|
||||
}
|
||||
----
|
||||
.XML
|
||||
[source,xml]
|
||||
----
|
||||
<http once-per-request="false">
|
||||
<intercept-url pattern="/**" access="authenticated"/>
|
||||
</http>
|
||||
----
|
||||
====
|
||||
|
||||
You can also configure authorization based on the request dispatcher type:
|
||||
|
||||
.Permit ASYNC dispatcher type
|
||||
====
|
||||
.Java
|
||||
[source,java,role="primary"]
|
||||
----
|
||||
@Bean
|
||||
SecurityFilterChain web(HttpSecurity http) throws Exception {
|
||||
http
|
||||
.authorizeRequests((authorize) -> authorize
|
||||
.filterSecurityInterceptorOncePerRequest(false)
|
||||
.dispatcherTypeMatchers(DispatcherType.ASYNC).permitAll()
|
||||
.anyRequest.authenticated()
|
||||
)
|
||||
// ...
|
||||
|
||||
return http.build();
|
||||
}
|
||||
----
|
||||
.XML
|
||||
[source,xml]
|
||||
----
|
||||
<http auto-config="true" once-per-request="false">
|
||||
<intercept-url request-matcher-ref="dispatcherTypeMatcher" access="permitAll" />
|
||||
<intercept-url pattern="/**" access="authenticated"/>
|
||||
</http>
|
||||
|
||||
<b:bean id="dispatcherTypeMatcher" class="org.springframework.security.web.util.matcher.DispatcherTypeRequestMatcher">
|
||||
<b:constructor-arg value="ASYNC"/>
|
||||
</b:bean>
|
||||
----
|
||||
====
|
||||
|
|
|
|||
Loading…
Reference in New Issue