How does http security hasRole() method work -


i have developed restful api in spring retrieves user info database (mongodb) , returns data client consumes rest api. before data retrieved rest api checks see if user admin or not. only admin can perform operations retrieve user info

so in securityconfig.java class have this:

http.authorizerequests()             .antmatchers("/users/get/**", "/users/get/**").hasrole("admin");  http.httpbasic(); 

now, users have roles , working expected in sense when call curl adminusername:adminpassword@localhost:8080/users/get/allusers

i able retrieve users because user username of adminusername admin , has permission. if replace adminusername non-admin username, access denied error.

my question is, adminusername:adminpassword part before @localhost:8080.... header of http request?

the reason ask because need create client able log in, have credentials (username , password) verified, , have username , password used session id, time client makes http request calls after being logged in, username , password appended header , processed rest api.

the hasrole() of

http.authorizerequests()                 .antmatchers("/users/get/**", "/users/get/**").hasrole("admin"); 

in security config dependent on username:password before @localhost:8080.... same thing @requestheader of spring rest api?

first of all, http basic way, send user credentials through header -

var header = {'authorization': 'basic '+btoa(username+':'+password)} //javascript 

second thing authorities user. in system have create user, , add them priviliges, example:

@override protected void configure(authenticationmanagerbuilder auth) throws exception {     auth.inmemoryauthentication()             .withuser("mati").password("qwerty").roles("admin", "user").and()             .withuser("mati2").password("qwerty").roles("user"); } 

these users became later objects class principal has granted authorities (like "role_user" or "role_admin").

when calling example

curl adminusername:adminpassword@localhost:8080/users/get/allusers 

spring security check proper principal (with given username , check if password matches), load securitycontext , check if principal has authority "role_admin" (by hasrole("admin")). must add tricky, , don't remember exactly, if washasrole("admin") or hasrole("role_admin").

i hope answer question(s).


Comments

Popular posts from this blog

qt - Using float or double for own QML classes -

Create Outlook appointment via C# .Net -

ios - Swift Array Resetting Itself -