azalut azalut - 1 month ago 34
Java Question

antMatchers Spring Security pattern with changeable URL user ID

I was looking for the answer for a long time but couldnt find anything productive

In my rest service I keep some functionality under: /account/{id}/download and I would like to set the acces ROLE in SecurityConfig java file, that only ROLE_TOKENSAVED users can access this url

How should the pattern look like, when {id} is changeable?

I tried some regexp patterns, but nothing worked as I wanted, here are some of my attempts:

1. antMatchers("account/**/download").access(somerolehere)
2. antMatchers("account/\\d/download").access(somerolehere)
3. antMatchers("account/[\\d]/download").access(somerolehere)


thanks in advance for your anserwers :)

edit:

@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/admin**").access("hasRole('ROLE_ADMIN')")
.antMatchers("/account*//**").access("hasRole('ROLE_USER') or hasRole('ROLE_ADMIN')")
.antMatchers("/account/\\d+/download").access("hasRole('ROLE_TOKENSAVED')")
.antMatchers("/user**").permitAll()
//othercode...
}

Answer

This works for me:

antMatchers("/account/{\\d+}/download").access("hasAnyAuthority('ROLE_TOKENSAVED')")

Notice the curly braces around the path variable representing the ID.