TechQA.

Spring Security role-based access control issue with wildcard in configuration

21 views Asked by At

I'm encountering a specific issue with my Spring Security configuration for role-based access control in a Spring Boot application. The problem revolves around the use of wildcards (*) in URL patterns when defining access rules for different roles.

In the permitAll() case, I've noticed that I don't need to use a wildcard before certain URLs, such as /event/get-available-slots and /event/get-marker-data, for the configuration to work correctly. However, in the hasRole("admin") case, I encountered error/ access denied without the wildcard (*)

Event Controller

@RequestMapping("/event")
@RestController
public class EventController {

    @GetMapping("/get-marker-data")
    public List<EventsInRetailFlow> getAllEventsInRetailFlow() {}

    @GetMapping("/getEvent")
    public List<EventResponse> getAllEvents() {}

    @PostMapping("/get-available-slots")
    public List<AvailableSlotsResponse> getAvailableSlots(@RequestBody AvailableSlotsRequest request) {}

    @GetMapping("/get-available-slots/{bookingId}")
    public ResponseEntity<?> getAvailableSlots(@PathVariable String bookingId) {}

    @PostMapping("/postEvent")
    public ResponseEntity<?> postEvent(@RequestBody EventRequest request) {}

    @PutMapping("/updateEvent/{eventId}")
    public ResponseEntity<?> putEvent(@PathVariable String eventId, @RequestBody EventUpdateRequest request) {}

    @DeleteMapping("/deleteEvent/{eventId}")
    public ResponseEntity<?> deleteEvent(@PathVariable String eventId) {}
}

authorizeHttpRequests(auth -> auth.requestMatchers("/admin/login", "/user/send-otp", "/user/verify-otp",
                                                   "/event/get-available-slots", "/event/get-marker-data", "/setting/settings-in-retail-flow",)
                                    .permitAll()
                                    .requestMatchers("*/event/updateEvent", "*/event/postEvent", "*/event/deleteEvent",)
                                    .hasRole("admin")

I've also worked on another project where similar role-based access control configurations didn't require the use of wildcards. Is there a difference in configuration or behavior that might explain this discrepancy?

@RestController
@RequestMapping("/api/aabushan")
public class TagController {
    @PostMapping("/tags")
    public ResponseEntity<?> addTag(@RequestBody TagRequest request) {
        TagResponse newTag = tagService.addNewTag(request);
        return ResponseEntity.status(HttpStatus.CREATED).body(newTag);
    }
}

@RestController
@RequestMapping("/api/aabushan")
public class TagController {
    @PostMapping("/tags")
    public ResponseEntity<?> addTag(@RequestBody TagRequest request) {
        TagResponse newTag = tagService.addNewTag(request);
        return ResponseEntity.status(HttpStatus.CREATED).body(newTag);
    }
}

Specific Issues: Why is a wildcard necessary in URL patterns like "/event/updateEvent", "/event/postEvent", "*/event/deleteEvent" for hasRole("admin") and not necessary in "/event/get-available-slots" and "/event/get-marker-data"?Is there a specific Spring Security rule mandating this usage, and why does removing or inconsistently adding wildcards cause errors?

java spring-boot spring-security jwt url-mapping
Original Q&A
0

There are 0 answers

Related Questions in JAVA

Related Questions in SPRING-BOOT

Related Questions in SPRING-SECURITY

Related Questions in JWT

Related Questions in URL-MAPPING

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json

Trending Questions