0

I'm a newbie to the spring world. I need to create a spring boot - angularjs application with some CRUD operations.

The clients need LDAP and local JDBC authentication mechanisms.

They need an authorization mechanism which is common for both sets of users.

The users should be restricted from some pages based on their roles. And separate permissions(Create, Update, Delete) sets needed to be applied to each user

And the roles should be created by the Admin user.

so how can I implement the page-wise authorization which would be decided by the admin that who (which role) can access which page?

@Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests().antMatchers("/", "/home").permitAll().antMatchers("/admin").hasRole("ADMIN")
                .anyRequest().authenticated().and().formLogin().loginPage("/login").permitAll().and().logout()
                .permitAll();
        http.exceptionHandling().accessDeniedPage("/403");
    }

should I specify each role-page combination in the config? Is there any way to dynamically change pages and roles, as the roles may get added later.

Improve this question

1 Answer 1

Reset to default
2

You can use spring mvc and Secured annotation

@Controller
public class MainController extends BaseController  {

    @Secured("ROLE_ADMIN")
    @RequestMapping("/")
    String home(Model model) {
        return "home";
    }

}

home page will be /resources/templates/home.ftl or jsp as you preferred. If User is not admin then it will redirect to error page.

If you want you can check permissions manually and send redirect to another page.

P.S : You need to add @EnableGlobalMethodSecurity(securedEnabled = true) to Spring boot Configuration class in order to Secured annotation work.

@EnableAutoConfiguration
@ComponentScan
@Configuration
@EnableGlobalMethodSecurity(securedEnabled = true)
public class Application {

   public static void main(String[] args) throws Exception {
       SpringApplication.run(Application.class, args);
   }

}

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

What if a new role (maybe a local admin) is created after some period of time..? And I think the annotation parameters cannot be changed dynamically.
You can store page - role records in db , and check in controller method users authorities manually , if not eligible then redirect
I changed my mind and now decided to control access to pages and read/write permissions from the front end and only to have basic authentication from spring side. This is an internal production application. How can I bring the permission data sets to the angularjs side...? should I use filters.? Is it a good idea to use spring security in my case..? Is there any alternative to get this done..?

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.