I'm trying to use #PreAuthorize("hasAuthority('READ'), hasRole('ADMIN')") that throws parsing exception.
How can I use hasAuthority and hasRole with #PreAuthorize in Spring boot controller?
This worked as
#PreAuthorize("hasAuthority('READ') and hasRole('ADMIN')")
Related
I am checking a role "XXXXX" in my controller . But it is working only when I add a prefix "ROLE_".
#Secured("XXXXX") is not working but when I add the ROLE_ prefix, it is working fine (#Secured("ROLE_XXXXX")is working fine). How can I override this feature in my Spring Boot version 2 project?
Option 1. You can use #RolesAllowed("role_name") instead of #Secured
You would need to enable JSR-250 annotations support by annotating #Configuration class with #EnableGlobalMethodSecurity(jsr250Enabled=true)
Options 2. You can use #PreAuthorize("hasRole('ROLE_NAME_WITHOUT_ROLE_PREFIX')") instead of #Secured
You would need to enable PreAuthorize annotations support by annotating #Configuration class with #EnableGlobalMethodSecurity(prePostEnabled=true)
I'm using Spring Boot Parent version 1.5.16.
I need to use current user information and now I use #AuthenticationPrincipal annotation.
But I have to write this annotation for each method. I think this is not a best practice because I have more than 200+ methods. Is there any other suggestion to inject Authentication Principal globally or class level?
I'm trying to hide a REST endpoint based on runtime configuration in Spring and Jersey. The most straightforward way is to throw the NotFoundException from the controller itself but maybe there's more kosher. The controller is registered in the constructor of the config class which extends org.glassfish.jersey.server.ResourceConfig.
I thought of using the #Profile annotation on the controller but I can still access the endpoint. When I hit that endpoint, I get the following error:
o.g.j.s.s.SpringComponentProvider - None or multiple beans found in Spring context
but then Jersey manages to access that controller, which I confirmed by attaching a debugger to the Spring process. So Jersey does not honor the #Profile setting.
On a separate note, I also have Swagger plugged into Jersey and when accessing the definition endpoint (.../swagger.json) I can see the endpoint provided by the #Profile-disabled controller.
Is there anything better I can do here is is throwing the NotFoundException the best option?
Note: Sorry, I thought I saw that you were using Spring Boot. The following answer is only relevant for Spring Boot.
#Profile is only good for Spring bean registration, but you are still registering the service with Jersey as a resource. What you can do is use a ResourceConfigCustomizer and add the #Profile to the customizer. This way it will only register the resource with Jersey ResourceConfig if the correct profile is active.
#Component
#Profile("..")
public class MyResourceConfigCustomizer implements ResourceConfigCustomizer {
#Override
public void customize(ResourceConfig config) {
config.register(MyResource.class);
}
}
I'm writing an Inteceptor in a Spring Boot application but this interceptor must be run after the OSIV interceptor, as I understand, it's configured by Spring's JpaWebConfiguration class in JpaBaseConfiguration.
How can I order my WebMvcConfigurerAdapter extended class to so that my addInterceptors method is run after the JpaWebConfiguration one?
I have a filter (CorsFilter) that is configured using #Bean. This filter should run before LogoutFilter. I can do this by calling HttpSecurity.addFilterBefore(corsFilter, LogoutFilter.class) method in my implementation of ResourceServerConfigurerAdapter.configure(HttpSecurity http)
Can I achieve the effect of addFilterBefore just using annotation. Is there an #Before or something like that?
Spring Core 4.2.4
Spring Boot 1.3.1
Spring Security 4.0.2
Yes you can: org.springframework.core.annotation.Order
Here is an example