Defining authorization to certain methods and APIs with Spring as a server and using Angular as client. This snippet doesn't show how to configure the security, only how to set the level of security.
Spring On Spring, the level of security may be set at a lower or higher level.
Angular
JHipster has an directive to check the authority set for the user, the jhiHasAnyAuthority="'{ROLE}". It conditionally includes an HTML element if current user has any * of the authorities passed as the expression
.
<!--
Conditionally includes an HTML element if current user has any
of the authorities passed as the `expression`.
-->
<some-element *jhiHasAnyAuthority="'ROLE_ADMIN'">...</some-element>
<some-element *jhiHasAnyAuthority="['ROLE_ADMIN', 'ROLE_USER']">...</some-element>
@RestController
@RequestMapping("/api")
public class RestController {
@PostMapping("/respostas")
@Timed
// set the autorization level before the access of the method
@PreAuthorize("hasAnyAuthority('ROLE_CLIENT_TOTEM','ROLE_ADMIN')")
public ResponseEntity<Resposta> createResposta(@Valid @RequestBody Resposta resposta) throws URISyntaxException {
// ....
}
}
@Configuration
@Import(SecurityProblemSupport.class)
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
// ....
// static resources are ignored by security
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring()
.antMatchers(HttpMethod.OPTIONS, "/**")
.antMatchers("/app/**/*.{js,html}")
.antMatchers("/i18n/**")
.antMatchers("/content/**")
.antMatchers("/swagger-ui/index.html")
.antMatchers("/test/**")
.antMatchers("/h2-console/**");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.addFilterBefore(corsFilter, UsernamePasswordAuthenticationFilter.class)
.exceptionHandling()
.authenticationEntryPoint(problemSupport)
.accessDeniedHandler(problemSupport)
.and()
.csrf()
.disable()
.headers()
.frameOptions()
.disable()
.and()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.authorizeRequests()
// set access privileges at a lower level here
// define the api's address and the level of security
.antMatchers("/api/register").denyAll()
.antMatchers("/api/activate").permitAll()
.antMatchers("/api/authenticate").permitAll()
.antMatchers("/api/account/reset-password/init").permitAll()
.antMatchers("/api/account/reset-password/finish").permitAll()
.antMatchers("/api/profile-info").permitAll()
.antMatchers("/api/**").authenticated()
.antMatchers("/websocket/tracker").hasAuthority(AuthoritiesConstants.ADMIN)
.antMatchers("/websocket/**").permitAll()
.antMatchers("/management/health").permitAll()
.antMatchers("/management/**").hasAuthority(AuthoritiesConstants.ADMIN)
.antMatchers("/v2/api-docs/**").permitAll()
.antMatchers("/swagger-resources/configuration/ui").permitAll()
.antMatchers("/swagger-ui/index.html").hasAuthority(AuthoritiesConstants.ADMIN)
.and()
.apply(securityConfigurerAdapter());
}