How does http security hasRole() method work -
i have developed restful api in spring retrieves user info database (mongodb) , returns data client consumes rest api. before data retrieved rest api checks see if user admin or not. only admin can perform operations retrieve user info
so in securityconfig.java class have this:
http.authorizerequests() .antmatchers("/users/get/**", "/users/get/**").hasrole("admin"); http.httpbasic();
now, users have roles , working expected in sense when call curl adminusername:adminpassword@localhost:8080/users/get/allusers
i able retrieve users because user username of adminusername
admin , has permission. if replace adminusername
non-admin username, access denied error.
my question is, adminusername:adminpassword
part before @localhost:8080.... header of http request?
the reason ask because need create client able log in, have credentials (username , password) verified, , have username , password used session id, time client makes http request calls after being logged in, username , password appended header , processed rest api.
the hasrole() of
http.authorizerequests() .antmatchers("/users/get/**", "/users/get/**").hasrole("admin");
in security config dependent on username:password
before @localhost:8080.... same thing @requestheader
of spring rest api?
first of all, http basic way, send user credentials through header -
var header = {'authorization': 'basic '+btoa(username+':'+password)} //javascript
second thing authorities user. in system have create user, , add them priviliges, example:
@override protected void configure(authenticationmanagerbuilder auth) throws exception { auth.inmemoryauthentication() .withuser("mati").password("qwerty").roles("admin", "user").and() .withuser("mati2").password("qwerty").roles("user"); }
these users became later objects class principal
has granted authorities (like "role_user" or "role_admin").
when calling example
curl adminusername:adminpassword@localhost:8080/users/get/allusers
spring security check proper principal
(with given username , check if password matches), load securitycontext
, check if principal
has authority "role_admin" (by hasrole("admin")
). must add tricky, , don't remember exactly, if washasrole("admin")
or hasrole("role_admin")
.
i hope answer question(s).
Comments
Post a Comment