Spring security - allow navigation but protecting some pages

StackOverflow https://stackoverflow.com/questions/23417732

Question

I would like to allow the user to navigate through the site but restrict access to some operations/pages where he must be logged in to do so. How do I achieve this using spring security configuration?

I'm not sure if spring security is the way though.

Was it helpful?

Solution

within your spring security configuration, you can do something like this:

<intercept-url pattern="/admin/**" access="ROLE_ADMIN" requires-channel="https" />
<intercept-url pattern="/secure/**" access="ROLE_USER, ROLE_ADMIN" requires-channel="https" />
<intercept-url pattern="/**" access="permitAll" requires-channel="any" />

Then prefix all of your protected pages with /secure/. This will allow people to navigate the entire site except pages in /secure/ and /admin/

Also, instead of ROLE_USER, you can use IS_AUTHENTICATED_FULLY (as opposed to IS_AUTHENTICATED_REMEMBERED or IS_AUTHENTICATED_ANONYMOUSLY)

The requires-channel is only if you are using https, which you should be if you are trying to protect content.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top