• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

RESTful Security issue

 
Greenhorn
Posts: 23
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi all,
... i had an issue that i can't solve!
It is a project with Sprint 3 (3.2.3) MVC and AngularJS (Javascript Framework which I never used), AngularJS manages the portion of the presentation and use the Spring controllers as Web Services using the RESTful methods that Spring provides. They asked me to create a LOGIN page and divide the REST services by role access.

the depentency are:


To solve the authentication, I created a simple "form-based" login pattern, a page login.jsp and a xml configuration as follows:

Trying to access the REST WEB SERVICES I am automatically redirected to the login page set doing login i access to the root context correctly.
With the authorization phase I had the big problem in fact the configured filter.

it should filter access to the context path "/revision*", which includes a set of RESTful method, for the only user with role "ROLE_REVISION" , but this does not happen.
So i access to this "secured" method with all of configured user does not matter with the authenticated role.

Doing some research on internet i found on http://www.baeldung.com this:
"The <http> element is the main container element for HTTP security configuration. [...]. Note that the mapping is relative to the root context of the web
application, not to the rest Servlet; this is because the entire security configuration lives in the root Spring context
and not in the child context of the Servlet".
So apparently the spring security does not handle REST Servlet. You've dealt with something similar?
How i can solve this?
 
Ranch Hand
Posts: 426
Eclipse IDE Fedora Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
If you are redirected to login page, that means your Authentication header is missing. Find a way to get your Authentication header included in the HTTP request and you won't be redirected.
 
Luigi Mattino'
Greenhorn
Posts: 23
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi Roger, Thanks for your answer.
I think that my writing is not clear: I am redirected to the Login page when i am not Authnticated, when i POST my login form i am allowed to the context path until a logout.
The problem is that if i access with "browser" (that has ROLE_BROWSER) user i can access also to "/revision*" that i configure only for "revision" user (that has ROLE_REVISION).
I hope I was clear.
 
Rancher
Posts: 2759
32
Eclipse IDE Spring Tomcat Server
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I am not sure, but I think the problem might be that you have to use



instead of



Notice the dot.
 
Don't get me started about those stupid light bulbs.
reply
    Bookmark Topic Watch Topic
  • New Topic