- There was an inconvenience of managing duplicate APIs based on permissions when using Spring Security
- Using this library helps manage APIs based on permissions.
- SecurityPass provides the @SecurityPass annotation. The @SecurityPass annotation can be used on a controller's methods.
- SecurityPassUtils returns the API URLs of methods with the @SecurityPass annotation attached.
- Maven Central
- In the controller and spring-security settings, it is inconvenient to manage URLs for each authority redundantly.
@PostMapping(value = "/user/login.do")
public HashMap<String, Object> actionLogin() throws Exception {
// Login Action
}private String[] AUTH_WHITELIST = {
"/",
"/user/login.do",
};
@Bean
protected SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
return http
.authorizeHttpRequests(authorize -> authorize
.antMatchers(AUTH_WHITELIST).permitAll()
.anyRequest().authenticated()
)
.build();
}- There are annotations for authorization and authentication in each method, but special settings must be made.
- @PreAuthorize("hasRole('ROLE_USER') In this case, it is difficult to check errors caused by typos at runtime.
- When using annotations such as @PermitAll, authorizeHttpRequests() cannot be used in spring-security configuration.
- When using annotations such as @PermitAll, you need to set or remove special settings to authorizeHttpRequests() in your spring-security configuration.
@PermitAll
//@Secured({"ROLE_USER","ROLE_ADMIN"})
//@PreAuthorize("hasRole('ROLE_USER') and hasRole('ROLE_ADMIN')")
public HashMap<String, Object> actionLogin() throws Exception {
// Login Action
}@EnableGlobalMethodSecurity(jsr250Enabled = true)
//@EnableMethodSecurity(securedEnabled = true , securedEnabled = true)
public class SecurityConfig {
@Bean
protected SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
return http
.csrf(AbstractHttpConfigurer::disable)
//.authorizeHttpRequests(authorize -> authorize
// .antMatchers(AUTH_WHITELIST).permitAll()
// .anyRequest().authenticated()
//)
.build();
}
}- No special configuration is required to use the @SecurityPass annotation.
- SecurityPassUtils returns the API URLs of methods with the @SecurityPass annotation attached.
@PostMapping(value = "/user/login.do")
@SecurityPass
public HashMap<String, Object> actionLogin() throws Exception {
//login action
}@Configuration
public class SecurityPassConfig {
@Bean
protected SecurityPassUtils securityPassUtils(){
return new SecurityPassUtils();
}
}@Autowired
SecurityPassUtils securityPassUtils
@Bean
protected SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
String[] permitAllUrls = securityPassUtils.getUrls(); // [ "/user/login.do" ]
return http
.authorizeHttpRequests(authorize -> authorize
.antMatchers(permitAllUrls).permitAll()
.anyRequest().authenticated()
)
.build();
}@SecurityPass
@SecurityPass(role="admin")
@SecurityPass(role="user")
@SecurityPass(role={"user","admin"})String[] permitAllUrls = securityPassUtils.getUrls();
String[] permitAdminrls = securityPassUtils.getUrls("admin");
String[] permitUserUrls = securityPassUtils.getUrls("user");implementation group: 'io.github.Chung10Kr', name: 'SecurityPass', version: '1.0.1'implementation 'io.github.Chung10Kr:SecurityPass:1.0.1'<dependency>
<groupId>io.github.Chung10Kr</groupId>
<artifactId>SecurityPass</artifactId>
<version>1.0.1</version>
</dependency>