WEB/Security

Lesson 24,25 - Authorities, Roles and Matcher methods (mvc,ant)

Tony Lim 2022. 5. 14. 14:50
728x90

authorities and roles are logical terms.

authority = actions

role = badges

both of them are based on GrantedAuthority interface

 

var u1 = User.withUsername("john")
      .password("12345")
      .authorities("ROLE_ADMIN")  // -> a role ADMIN
      .build();

var u2 = User.withUsername("bill")
      .password("12345")
      .roles("MANAGER")   // -> authority ROLE_MANAGER
      .build();

if we use roles() method it automatically add ROLE_ prefix -> and create SimpleGrantedAuthority which implement GrantedAuthority

 

public static List<GrantedAuthority> createAuthorityList(String... authorities) {
    List<GrantedAuthority> grantedAuthorities = new ArrayList(authorities.length);
    String[] var2 = authorities;
    int var3 = authorities.length;

    for(int var4 = 0; var4 < var3; ++var4) {
        String authority = var2[var4];
        grantedAuthorities.add(new SimpleGrantedAuthority(authority));
    }

    return grantedAuthorities;
}
public User.UserBuilder roles(String... roles) {
    List<GrantedAuthority> authorities = new ArrayList(roles.length);
    String[] var3 = roles;
    int var4 = roles.length;

    for(int var5 = 0; var5 < var4; ++var5) {
        String role = var3[var5];
        Assert.isTrue(!role.startsWith("ROLE_"), () -> {
            return role + " cannot start with ROLE_ (it is automatically added)";
        });
        authorities.add(new SimpleGrantedAuthority("ROLE_" + role));
    }

    return this.authorities((Collection)authorities);
}

both of them (authority , roles) are returning List of GrantedAuthority

 


http.authorizeRequests()
      .mvcMatchers("/hello").hasRole("ADMIN")
      .mvcMatchers("/ciao").hasRole("MANAGER")
      .mvcMatchers("/c/{name}").authenticated()
      .anyRequest().authenticated();

hasRole will find ROLE_ prefixed from User's GrantedAuthority

 

http.authorizeRequests()
      .antMatchers("/a").authenticated() // /a
      .anyRequest().permitAll(); // /a/

alway use mvcMatchers because spring will consider "/a" and "/a/" same but ant matchers is exact match

so if some one sends non authenticated request to "/a/" , it will go to permitAll()

 

 

 

 

728x90
저작자표시

'WEB > Security' 카테고리의 다른 글

Lesson 27 - Method authorization configurations  (0) 2022.05.16
Lesson 26 - Endpoint authorization rules for an OAuth 2 resource server  (0) 2022.05.14
Lesson 23 - Configuring endpoint authorization  (0) 2022.05.13
Lesson 20 - Using Keycloak as an authorization server  (0) 2022.05.11
Lesson 19 - Configuring the authorization server to expose the public key  (0) 2022.05.11

'WEB/Security'의 다른글

  • 현재글Lesson 24,25 - Authorities, Roles and Matcher methods (mvc,ant)

관련글

댓글

티스토리툴바