2

my application uses spring security. I know you can use antMatchers to permit requests for some URI that are mapped into your application. But I need too allow requests made from an external api to a URI in my application and just for that api. I need something like this:

     @Override
     protected void configure(WebSecurity web) throws Exception 
     {            
        web.ignoring()
          .antMatchers("http://externalTestApi.com");
     }

Does anybody know if this is possible? I did not find anything on this.

Bobernac Alexandru
  • 169
  • 1
  • 2
  • 11

1 Answers1

2

You can do something like this (if you want to combine multiple conditions)

.authorizeRequests()
.antMatchers("/user/list")
.access("authenticated or hasIpAddress('666.666.666.666') or hasIpAddress('127.0.0.1') or hasIpAddress('0:0:0:0:0:0:0:1')")

or

.authorizeRequests()
.antMatchers("/user/list")
.hasIpAddress("0.0.0.0/0");
prettyvoid
  • 3,446
  • 6
  • 36
  • 60
  • that works for the configure method that accepts a HttpSecurity as parameter, I need this for configure method with WebSecurity. – Bobernac Alexandru Oct 04 '17 at 12:38
  • Aren't you extending `WebSecurityConfigurerAdapter`? Just @override `configure(HttpSecurity http)` and do your security there? – prettyvoid Oct 04 '17 at 12:50
  • in WebSecurityConfigurerAdapter there are 2 configure methods, one that takes a HttpSecurity and one that takes WebSecurity, I need this for the one with WebSecurity because that is were the request is filtered and I get a 403 null. I am making a post from the api using RestTemplate and beacuse it is post it does some filtering and has a problem with my session. – Bobernac Alexandru Oct 04 '17 at 12:56
  • If you move it to the method with HttpSecurity then security will be done in that layer.. I don't see any reason that prevents you to move your code to HttpSecurity.. see the differences here https://stackoverflow.com/questions/22998731/httpsecurity-websecurity-and-authenticationmanagerbuilder – prettyvoid Oct 04 '17 at 13:10
  • The two configuration methods have different purposes, as it is said in the link you posted, with WebSecurity you can reject requests, the security configuration is in such a way made that the request is rejected by some filters, if my I do what you suggested, my request will be rejected before it reaches any config that I make on HttpSecurity. – Bobernac Alexandru Oct 04 '17 at 13:33
  • I need a way to tell spring security to not reject my request if it is coming from a certain URL. – Bobernac Alexandru Oct 04 '17 at 13:34