1
1
.
.
4
4
.
.
1
1
S
S
e
e
c
c
u
u
r
r
i
i
t
t
y
y
E
E
x
x
p
p
r
r
e
e
s
s
s
s
i
i
o
o
n
n
s
s
-
-
A
A
P
P
I
I
-
-
R
R
o
o
l
l
e
e
s
s
&
&
A
A
u
u
t
t
h
h
o
o
r
r
i
i
t
t
i
i
e
e
s
s
I
I
n
n
f
f
o
o
[
[
G
G
]
]
When you add Spring Boot Starter Security every URL becomes unavailable unless you Sign In.
This tutorial shows how to loosen up this restriction by allowing access to certain URLs without having to Sign In.
We will do this by creating a Class SecurityConfig which extends and Overrides Method configure().
SecurityConfig.java
httpSecurity.authorizeRequests()
.antMatchers("/endPoint1").denyAll() //No access (even after log in)
.antMatchers("/endPoint2").permitAll() //All have access (anonymous access without Login)
.antMatchers("/endPoint3").hasRole("ADMIN") //Only ADMIN ROLE can access (after log in)
.antMatchers("/endPoint4").hasAnyRole("ADMIN", "USER"); //Only ADMIN/USER ROLE can access (after log in)
Application Schema [Results]
Spring Boot Starters
GROUP
DEPENDENCY
DESCRIPTION
Web
Spring Web
Enables @Controller, @RequestMapping and Tomcat Server
Security
Spring Security
Enables Spring Security
MyController
http://localhost:8080/endPoint1
Tomcat
Browser
SecurityConfig
P
P
r
r
o
o
c
c
e
e
d
d
u
u
r
r
e
e
Create Project: springboot_security_urlpatternmatching (add Spring Boot Starters from the table)
Edit File: application.properties (specify Username, Password, Role)
Create Package: controllers (inside main package)
– Create Class: MyController.java (inside controllers package)
Create Package: config (inside main package)
– Create Class: SecurityConfig.java (inside config package)
application.properties
# SECURITY
spring.security.user.name = myuser
spring.security.user.password = mypassword
spring.security.user.roles = USER, LOADER
MyController.java
package com.ivoronline.springboot_security_urlpatternmatching.controllers;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.ResponseBody;
@Controller
public class MyController {
@ResponseBody @RequestMapping("/endPoint1") public String ep1() { return "endPoint1"; }
@ResponseBody @RequestMapping("/endPoint2") public String ep2() { return "endPoint2"; }
@ResponseBody @RequestMapping("/endPoint3") public String ep3() { return "endPoint3"; }
@ResponseBody @RequestMapping("/endPoint4") public String ep4() { return "endPoint4"; }
}
SecurityConfig.java
package com.ivoronline.springboot_security_urlpatternmatching.config;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity httpSecurity) throws Exception {
//SPECIFY ACCESS TO ENDPOINTS
httpSecurity.authorizeRequests()
.antMatchers("/endPoint1").denyAll() //No access (even after log in)
.antMatchers("/endPoint2").permitAll() //No log in (anonymous access)
.antMatchers("/endPoint3").hasRole("ADMIN") //ADMIN ROLE can access AFTER log in
.antMatchers("/endPoint4").hasAnyRole("ADMIN", "USER"); //ADMIN/USER ROLE can access AFTER log in
//REDIRECT TO LOGIN FORM
httpSecurity.formLogin();
}
}
R
R
e
e
s
s
u
u
l
l
t
t
s
s
http://localhost:8080/endPoint1 denyAll() => deny ALL after Login
http://localhost:8080/endPoint2 permitAll() => allow ALL without Login
http://localhost:8080/endPoint3 hasRole("ADMIN") => deny USER after Login
http://localhost:8080/endPoint4 hasAnyRole("ADMIN", "USER") => allow USER after Login