Is it possible to validate 1 role with 1 Method despite on another roles?
I need to verify If client has role ONLY_READ, so he can call only GET methods and that's all for him. If someone has roles ONLY_READ and ... WRITE, so he can do everything and also if client have only WRITE so he can do everything too. When I do that, clients can not do nothing without ONLY_READ role.
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http
.sessionManagement(configurer -> configurer.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
.authorizeHttpRequests(authorize ->
authorize
.requestMatchers(NON_SECURED_PATTERNS).permitAll()
.requestMatchers(HttpMethod.GET).hasRole("ONLY_READ")
.anyRequest().authenticated())
.oauth2ResourceServer(oauth2 -> oauth2.jwt(t -> t.jwtAuthenticationConverter(converter)))
.csrf(AbstractHttpConfigurer::disable)
.cors(AbstractHttpConfigurer::disable)
.exceptionHandling(exceptions -> exceptions.authenticationEntryPoint(
new HttpStatusEntryPoint(HttpStatus.UNAUTHORIZED)
));
return http.build();
P.S.
I found a solution, but I can not make it.
It needs OrRequestMatcher where I put
requestMatchers(HttpMethod.GET).hasRole("ONLY_READ") and
requestMatchers("**/*"). But I can not found any class like RoleRequestMatchers
Is it possible to validate 1 role with 1 Method despite on another roles?
I need to verify If client has role ONLY_READ, so he can call only GET methods and that's all for him. If someone has roles ONLY_READ and ... WRITE, so he can do everything and also if client have only WRITE so he can do everything too. When I do that, clients can not do nothing without ONLY_READ role.
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http
.sessionManagement(configurer -> configurer.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
.authorizeHttpRequests(authorize ->
authorize
.requestMatchers(NON_SECURED_PATTERNS).permitAll()
.requestMatchers(HttpMethod.GET).hasRole("ONLY_READ")
.anyRequest().authenticated())
.oauth2ResourceServer(oauth2 -> oauth2.jwt(t -> t.jwtAuthenticationConverter(converter)))
.csrf(AbstractHttpConfigurer::disable)
.cors(AbstractHttpConfigurer::disable)
.exceptionHandling(exceptions -> exceptions.authenticationEntryPoint(
new HttpStatusEntryPoint(HttpStatus.UNAUTHORIZED)
));
return http.build();
P.S.
I found a solution, but I can not make it.
It needs OrRequestMatcher where I put
requestMatchers(HttpMethod.GET).hasRole("ONLY_READ") and
requestMatchers("**/*"). But I can not found any class like RoleRequestMatchers
1 Answer
Reset to default 0My workaround was like this
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http
.sessionManagement(configurer -> configurer.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
.authorizeHttpRequests(authorize ->
authorize
.requestMatchers(NON_SECURED_PATTERNS).permitAll()
.requestMatchers(antMatcher("**")).access(customAuthManager())
.anyRequest().authenticated())
.oauth2ResourceServer(oauth2 -> oauth2.jwt(t -> t.jwtAuthenticationConverter(converter)))
.csrf(Customizer.withDefaults())
.cors(c -> c.configurationSource(corsConfigurationSource()))
.exceptionHandling(exceptions -> exceptions.authenticationEntryPoint(
new HttpStatusEntryPoint(HttpStatus.UNAUTHORIZED)
));
return http.build();
}
private AuthorizationManager<RequestAuthorizationContext> customAuthManager() {
return (supplier, context) -> {
final Collection<? extends GrantedAuthority> authorities = supplier.get().getAuthorities();
if (authorities == null) {
return new AuthorizationDecision(false);
}
boolean isGet = HttpMethod.GET.name().equals(context.getRequest().getMethod());
boolean isOneRole = authorities.size() == 1;
boolean isReadOnly = authorities.stream().anyMatch(r -> "ONLY_READ".equals(r.getAuthority()));
boolean result = false;
if (isGet && isOneRole && isReadOnly) {
result = true;
} else if (isGet && !isReadOnly) {
result = true;
} else if (!isOneRole) {
result = true;
}
return new AuthorizationDecision(result);
};
}