7

Is there a way to "ask" spring security if the current request is secure? Because even if I am authenticated I want to detect if I am in a secure protected URL or in a anonymous / public page

Thanks in advance!

Improve this question
4
  • you mean request including intercept-url pattern or it is ssl authenticated? Commented Sep 2, 2012 at 13:54
  • i mean intercept-url pattern and secured annotation. Commented Sep 2, 2012 at 21:37
  • I want to test that the current request I am in, is either anonymous or it has been marked as secured either using a config or using @Secured annotation Commented Sep 2, 2012 at 21:38
  • Where you able to resovle this? I'd like to know too if the request URL shall be protected. Commented Sep 27, 2012 at 14:45

3 Answers 3

Reset to default
2

Spring Security provides JSP tag support for this. For example:

<sec:authorize url="/admin">

This content will only be visible to users who are authorized to access the "/admin" URL.

</sec:authorize>

Thymeleaf provides a Spring Security Dialect that has direct support for checking URL authorization with Spring Security. For example:

<div sec:authorize-url="/admin">
    This will only be displayed if authenticated user can call the "/admin" URL.
</div>

If your technology does not support performing the check directly, you can easily use the WebInvocationPrivilegeEvaluator (this is the object that the JSP taglib and Thymeleaf use). For example, you can @Autowire an instance of WebInvocationPrivilegeEvaluator and use it directly. Obviously the syntax will vary depending on where you use it (i.e. GSP, Freemarker, etc), but here is an example in straight Java code.

@Autowired
WebInvocationPrivilegeEvaluator webPrivs;

public void useIt() {
    Authentication authentication = SecurityContextHolder.getContext().getAuthentication();

    boolean hasAdminAccess = webPrivs.isAllowed("/admin", authentication);

    boolean hasAdminPostAccess = webPrivs.isAllowed(null, "/admin", "POST", authentication);
}
Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

This is right but it only works for url patterns defined in spring-security.xml (not for @PreAuthorize annotated controller methods) as i noticed some time ago. You can check this stackoverflow.com/questions/27984557/…
How can I obtain this WebInvocationPrivilegeEvaluator when I do not use Spring Context?
0

I think you can use your own implementation for AccessDecisionVoter then just simply override Vote method and compare intercept url using filterInvocation.getRequestUrl(); method. 

@Override
public int vote(Authentication authentication, FilterInvocation filterInvocation,
    Collection<ConfigAttribute> attributes) {
  String requestUrl = filterInvocation.getRequestUrl();
  ....
}
Improve this answer

Comments

0

We can mark it is as secure channel so converted to https:// url.

    <intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY" requires-channel="https" />

We can then use request.getScheme() to identify it. I used org.springframework.security.version 3.1.4.RELEASE

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.