Announcement Announcement Module
Collapse
No announcement yet.
Spring Security disregard my basic auth unless I specify access role Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Spring Security disregard my basic auth unless I specify access role

    Using Spring 3.1.2 and RestEasy 2.3.4.

    I've got some REST resources. However, I don't want to specify in Spring what roles are needed for all of them. This is my current setup:

    <security:http auto-config="true" use-expressions="true">
    <security:http-basic/>
    <security:intercept-url pattern="/secrets/**" access="ROLE_USER"/>
    <security:intercept-url pattern="/**"/>
    </security:http>

    Calls to '/secret/\*\*' gets authenticated and I can access the user and roles from the SecurityContextHolder-object. Calls to '/\*\*' however don't get authenticated even though I pass basic credentials. I want to authorise internally based on data being loaded and not by the URLs.

    It seem that Spring Security disregard my basic auth unless I specify access. Is that correct? Is there any way around it?

    Thanks
    ThorÅge

  • #2
    You have to specify access rules to have authentication to be applied if you don't specify anything basically every requests matches. Simply specify an access rule as AUTHENTICATED_FULLY which will trigger the process and after that you can simply do the checks yourself.

    Comment

    Working...
    X