How to allow anonymous users to access a certain function only using spring security
Multi tool use
How to allow anonymous users to access a certain function only using spring security
I'm using spring security in my project.
I have a condition where the anonymous users should be able to read from database whereas only authorized users to add/update/delete.
How can we mention such situation in the security-config?
.antMatchers("/user/**").permitAll()
permit all requires to be authenticated but I want even none authenticated users to access via the GET method.
@RequestMapping("/user")
@PreAuthorize("hasAuthority('USER')")
public List<UserAll> getAll() {
return userService.getAll();
}
And here how do I mention that this function should be accessed by anonymous users too?
hasAnyRole('USER', 'ANONYMOUS')
@fg78nc thats for the controller part. What about in the .antMatchers("/user/**").permitAll() section. It will require authentication.
– Kush Raj Rimal
Jul 2 at 4:31
.antMatchers("/user").access("hasAnyRole('USER', 'ANONYMOUS')") Think of anonymous as of special, implicit role.– fg78nc
Jul 2 at 4:57
.antMatchers("/user").access("hasAnyRole('USER', 'ANONYMOUS')")
@fg78nc while doing that and testing through postman without auth, it says full authentication required to access this resource. Do we have to state that any anonymous users have the authority of 'ANONYMOUS' somewhere.
– Kush Raj Rimal
Jul 2 at 5:27
No, you don't have to declare 'ANONYMOUS' authority. Which resource exactly you are trying to access?
– fg78nc
Jul 2 at 6:04
1 Answer
1
In my WebSecurityConfig class I use this:
.authorizeRequests()
.antMatchers("/v2/api-docs", "/configuration/ui", "/swagger-resources", "/configuration/security", "/swagger-ui.html", "/webjars/**")
.permitAll()
.antMatchers("/secure/rest/**")
.authenticated()
.antMatchers("/register**")
.anonymous()
.antMatchers("/login**")
.anonymous()
.and();
What this does is it ONLY allows unauthenticated users to use the register and login endpoints. It allows ONLY authenticated users to access other endpoints (ones that start with /secure/rest.
It also allows my Swagger endpoints to be used by both authenticated and unauthenticated users.
permitAll does not require the user to be authenticated. It allows all requests through.
As a side note I recommend having different security configs per environment. I don't recommend exposing Swagger endpoints to everybody in prod environments. The above config is for my lower development environments.
I would advise to use
permitAll sparingly, because It instructs Spring Security to totally ignore a URL and Spring Security will not set SecurityContextHolder. The proper way is to to explicitly allow access to the URL by using ant or mvc matchers with access attribute.– fg78nc
Jul 2 at 5:06
permitAll
Won't it still set one for the other URLs? And also like I said, in higher up environments I use a different configuration which does not have any permitAll() URLs. I only ever use permitAll() for things like Swagger endpoints in lower environments. In production, those endpoints don't even exist.
– Clayton
Jul 2 at 11:28
By clicking "Post Your Answer", you acknowledge that you have read our updated terms of service, privacy policy and cookie policy, and that your continued use of the website is subject to these policies.
you can change to
hasAnyRole('USER', 'ANONYMOUS')– fg78nc
Jul 2 at 4:18