1

I have a custom pre-authentication filter which basically validates and creates a token.

I just want to call this pre-authentication filter only for secured APIs.

For example, I have these two APIs:

  • GET /api/products (not secure)
  • POST /api/products (secure)

When I use:

<http pattern="/api/products" security="none"/>

My pre-authentication filter is not called, but doing this I turn both APIs unsecure, because both have the same pattern /api/products.

I want to get my pre-authentication filter called only for my secure API, which is POST /api/products.

The question is: how to tell security="none" to differentiate HTTP methods (GET and POST)?

Improve this question

1 Answer 1

Reset to default
1

You can define a RequestMatcher like AntPathRequestMatcher and add the reference, see Spring Security Reference:

request-matcher-ref A reference to a bean that implements RequestMatcher that will determine if this FilterChain should be used. This is a more powerful alternative to pattern.

Your modified configuration:

<http request-matcher-ref="myMatcher"/>

<b:bean id="myMatcher" class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
    <b:constructor-arg value="/api/products"/>
    <b:constructor-arg value="POST"/>
</b:bean>
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.