Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

Securing URLs Using Spring Security

DZone's Guide to

Securing URLs Using Spring Security

Securing URLs using Spring Security is a pretty straight forward job. Read on to find out how to do it!

· Java Zone ·
Free Resource

How do you break a Monolith into Microservices at Scale? This ebook shows strategies and techniques for building scalable and resilient microservices.

Typically when securing a URL you are looking to do one of the following:

  • Allow access to everyone to a given URL
  • Secure URL based on roles.
  • Secure URL based on multiple roles.
  • Secure URL based on IP Address.

This post shows how to do this using spring security

Specifying URLs

The most common approach to specifying a URL is through antMatchers. So if we want to secure:

http://www.example.com/static Open to everyone – CSS, JavaScript
http://www.example.com/register Open to everyone
http://www.example.com/login Open to everyone
http://www.example.com/user/ ROLE_USER or ROLE_ADMIN – User Area
http://www.example.com/admin/

ROLE_ADMIN only and restrict on IPADDRESS – Admin Area

We would simply use:

.antMatchers("/register")

Or with multiple:

.antMatchers("/register","/login","/user","/admin")

We also specify individual pages or directories –

.antMatchers("register.html"); // Individual
.antMatchers("/admin/**"); // Directory


Depending on the complexity of pattern you are securing, you can also consider:

Securing the URLs

The methods to secure URL’s are defined in AuthorizedUrl. The most common methods are:

  • authenticated(): This is the URL you want to protect, and requires the user to login
  • permitAll(): This is used for URL’s with no security applied for example css, javascript
  • hasRole(String role): Restrict to single role. Note that the role will have “ROLE_” appended. So role=”ADMIN” has a comparison against “ROLE_ADMIN”. An alternatve is hasAuthority(String authority)
  • hasAnyRole(String… roles): Allows multiple roles. An alternative is hasAnyAuthority(String… authorities)

Other useful methods are:

  • access(String attribute): This method takes SPEL, so you can create more complex restrictions. For those who are interested a lot of the methods in  ExpressionUrlAuthorizationConfigurer.AuthorizedUrl ultimately call access with the required SPEL
  • hasIpAddress(String ipaddressExpression): Restrict on IP address or subnet

Putting it All Together

We can put this altogher and create a method like:

    @Override
    protected void configure(HttpSecurity http) throws Exception {
      http
        .authorizeRequests()
           .antMatchers("/static","/register").permitAll()
           .antMatchers("/user/**").hasRoles("USER", "ADMIN") // can pass multiple roles
           .antMatchers("/admin/**").access("hasRole('ADMIN') and hasIpAddress('123.123.123.123')") // pass SPEL using access method
           .anyRequest().authenticated()
           .and()
       .formLogin()
           .loginUrl("/login")
           .permitAll();
    }

The key points are:

  • permitAll gives everyone access to a file or directory.
  • hasRoles passes multiple roles.
  • access for more compicated access.

As a side note, I am currently working on a project to automatically generate this configuration with my spring-security-generator.

How do you break a Monolith into Microservices at Scale? This ebook shows strategies and techniques for building scalable and resilient microservices.

Topics:
url ,java ,spring security ,roles

Published at DZone with permission of

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}