Spring security jsp tag authorize can be used to check against the url:
<sec:authorize url="/details" var="allow_url_details"/>
It uses WebInvocationPrivilegeEvaluator for evaluation. The rules has been taken from HttpSecurity config:
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http.authorizeHttpRequests(auth -> auth
.requestMatchers("/details").hasAnyRole("OPERATOR","TECH")
.requestMatchers("/static/*", "/*", "/favicon/*").permitAll()
.anyRequest().authenticated()
);
// ...
}
From other side, I have @EnableMethodSecurity(jsr250Enabled = true), and on contoller there is @RolesAllowed:
@Controller
public class DetailController extends ControllerTemplate {
@GetMapping("/details")
@RolesAllowed({"OPERATOR", "TECH"})
public String list() {
return "details/list";
}
So, we have two places of security allowance declaration:
- in
http.authorizeHttpRequests(to get<sec:authorize url="/details">work) - and with @GetMapping (or @Controller)
Can I (How to) use only JSR 250 way of defining allowed urls, so I can use sec:authorize tag without configuring the same urls in HttpSecurity setup?
Now we have the functionality. The draft implementation looks like this:
https://gist.github.com/ol-loginov/e39dec6aebe5a39bce9dfc473282bbb2
It uses almost none security rules in HttpSecurity (except basic ones), and account Jsr250, @Secured, @PreAuthorize annotations.
It has a little overhead, because we need to resolve controller method twice - here and in DispatcherServlet again