0

I've created a webservice with spring roo and added spring security to the project. Everything works fine so far but now I want to allow to access entities information via HTTP GET requests without any authentication. The other HTTP methods like POST, PUT etc. should stay secure.

My applicationContext-security.xml looks like the following but when I do a HTTP GET on "/releaseupdates/" with a "Accept: application/json" header it always returns the login page (I think spring security redirects to the login page internally):

 <http auto-config="true" use-expressions="true">
        <form-login login-processing-url="/resources/j_spring_security_check" login-page="/login" authentication-failure-url="/login?login_error=t" />
        <logout logout-url="/resources/j_spring_security_logout" />
        <!-- Configure these elements to secure URIs in your application -->
        <intercept-url pattern="/releaseupdates/**" access="permitAll" method="GET" />
        <intercept-url pattern="/releaseupdates/**" access="hasRole('ROLE_ADMIN')" method="POST" />
        <intercept-url pattern="/releaseupdatestatuses/**" access="hasRole('ROLE_ADMIN')"/>
        <intercept-url pattern="/choices/**" access="hasRole('ROLE_ADMIN')" />
        <intercept-url pattern="/member/**" access="isAuthenticated()" />
        <intercept-url pattern="/resources/**" access="permitAll" />
        <intercept-url pattern="/login/**" access="permitAll" />
        <intercept-url pattern="/**" access="isAuthenticated()" />
</http>
seveves
  • 1,282
  • 4
  • 17
  • 37
  • It is still secured because of the last line. Try adding `securtiy="none"` on the GET intercept-url – Alexander Jun 04 '15 at 12:41
  • There is no "security" on the intercept-url tag, is there? – seveves Jun 04 '15 at 12:52
  • Funny ... I had to do a system reboot because of updates and now it works. Maybe the tomcat deployment didn't work correctly. Now it is working like it should. Damn. – seveves Jun 04 '15 at 13:09

1 Answers1

2

There is also an annotation @PreAuthorize which could be your friend here. The annotation could be at class or method level on your Controllers.

Here's an example:

@Controller
@RequestMapping("/releaseupdates")
public class ReleaseUpdateController {

   @RequestMapping(method=RequestMethod.GET)
   public String unprotectedGetRequest() {
      //do something, no protection
   }

   @PreAuthorize("hasRole('ROLE_ADMIN')")
   @RequestMapping(method=RequestMethod.POST)
   public String securePostRequest() {
      //do something, secured
   }

}
NickJ
  • 9,380
  • 9
  • 51
  • 74
  • Hm I've scaffolded all the controllers with Spring Roo and in the .aj it tells me not to edit those files. – seveves Jun 04 '15 at 12:59