(window.webpackJsonp=window.webpackJsonp||[]).push([[258],{683:function(t,e,r){"use strict";r.r(e);var i=r(56),s=Object(i.a)({},(function(){var t=this,e=t.$createElement,r=t._self._c||e;return r("ContentSlotsDistributor",{attrs:{"slot-key":t.$parent.slotKey}},[r("h1",{attrs:{id:"authorize-httpservletrequest-with-filtersecurityinterceptor"}},[r("a",{staticClass:"header-anchor",attrs:{href:"#authorize-httpservletrequest-with-filtersecurityinterceptor"}},[t._v("#")]),t._v(" Authorize HttpServletRequest with FilterSecurityInterceptor")]),t._v(" "),r("table",[r("thead",[r("tr",[r("th"),t._v(" "),r("th",[r("code",[t._v("FilterSecurityInterceptor")]),t._v(" is in the process of being replaced by "),r("RouterLink",{attrs:{to:"/en/spring-security/authorize-http-requests.html"}},[r("code",[t._v("AuthorizationFilter")])]),t._v("."),r("br"),t._v("Consider using that instead.")],1)])]),t._v(" "),r("tbody")]),t._v(" "),r("p",[t._v("This section builds on "),r("RouterLink",{attrs:{to:"/en/architecture.html#servlet-architecture"}},[t._v("Servlet Architecture and Implementation")]),t._v(" by digging deeper into how "),r("RouterLink",{attrs:{to:"/en/spring-security/index.html#servlet-authorization"}},[t._v("authorization")]),t._v(" works within Servlet based applications.")],1),t._v(" "),r("p",[t._v("The "),r("a",{attrs:{href:"https://docs.spring.io/spring-security/site/docs/5.6.2/api/org/springframework/security/web/access/intercept/FilterSecurityInterceptor.html",target:"_blank",rel:"noopener noreferrer"}},[r("code",[t._v("FilterSecurityInterceptor")]),r("OutboundLink")],1),t._v(" provides "),r("RouterLink",{attrs:{to:"/en/spring-security/index.html#servlet-authorization"}},[t._v("authorization")]),t._v(" for "),r("code",[t._v("HttpServletRequest")]),t._v("s.\nIt is inserted into the "),r("RouterLink",{attrs:{to:"/en/architecture.html#servlet-filterchainproxy"}},[t._v("FilterChainProxy")]),t._v(" as one of the "),r("RouterLink",{attrs:{to:"/en/architecture.html#servlet-security-filters"}},[t._v("Security Filters")]),t._v(".")],1),t._v(" "),r("p",[r("img",{attrs:{src:"https://docs.spring.io/spring-security/reference/_images/servlet/authorization/filtersecurityinterceptor.png",alt:"filtersecurityinterceptor"}})]),t._v(" "),r("p",[t._v("Figure 1. Authorize HttpServletRequest")]),t._v(" "),r("ul",[r("li",[r("p",[r("img",{attrs:{src:"https://docs.spring.io/spring-security/reference/_images/icons/number_1.png",alt:"number 1"}}),t._v(" First, the "),r("code",[t._v("FilterSecurityInterceptor")]),t._v(" obtains an "),r("RouterLink",{attrs:{to:"/en/authentication/architecture.html#servlet-authentication-authentication"}},[t._v("Authentication")]),t._v(" from the "),r("RouterLink",{attrs:{to:"/en/authentication/architecture.html#servlet-authentication-securitycontextholder"}},[t._v("SecurityContextHolder")]),t._v(".")],1)]),t._v(" "),r("li",[r("p",[r("img",{attrs:{src:"https://docs.spring.io/spring-security/reference/_images/icons/number_2.png",alt:"number 2"}}),t._v(" Second, "),r("code",[t._v("FilterSecurityInterceptor")]),t._v(" creates a "),r("a",{attrs:{href:"https://docs.spring.io/spring-security/site/docs/5.6.2/api/org/springframework/security/web/FilterInvocation.html",target:"_blank",rel:"noopener noreferrer"}},[r("code",[t._v("FilterInvocation")]),r("OutboundLink")],1),t._v(" from the "),r("code",[t._v("HttpServletRequest")]),t._v(", "),r("code",[t._v("HttpServletResponse")]),t._v(", and "),r("code",[t._v("FilterChain")]),t._v(" that are passed into the "),r("code",[t._v("FilterSecurityInterceptor")]),t._v(".")])]),t._v(" "),r("li",[r("p",[r("img",{attrs:{src:"https://docs.spring.io/spring-security/reference/_images/icons/number_3.png",alt:"number 3"}}),t._v(" Next, it passes the "),r("code",[t._v("FilterInvocation")]),t._v(" to "),r("code",[t._v("SecurityMetadataSource")]),t._v(" to get the "),r("code",[t._v("ConfigAttribute")]),t._v("s.")])]),t._v(" "),r("li",[r("p",[r("img",{attrs:{src:"https://docs.spring.io/spring-security/reference/_images/icons/number_4.png",alt:"number 4"}}),t._v(" Finally, it passes the "),r("code",[t._v("Authentication")]),t._v(", "),r("code",[t._v("FilterInvocation")]),t._v(", and "),r("code",[t._v("ConfigAttribute")]),t._v("s to the xref:servlet/authorization.adoc#authz-access-decision-manager"),r("code",[t._v("AccessDecisionManager")]),t._v(".")]),t._v(" "),r("ul",[r("li",[r("p",[r("img",{attrs:{src:"https://docs.spring.io/spring-security/reference/_images/icons/number_5.png",alt:"number 5"}}),t._v(" If authorization is denied, an "),r("code",[t._v("AccessDeniedException")]),t._v(" is thrown.\nIn this case the "),r("RouterLink",{attrs:{to:"/en/architecture.html#servlet-exceptiontranslationfilter"}},[r("code",[t._v("ExceptionTranslationFilter")])]),t._v(" handles the "),r("code",[t._v("AccessDeniedException")]),t._v(".")],1)]),t._v(" "),r("li",[r("p",[r("img",{attrs:{src:"https://docs.spring.io/spring-security/reference/_images/icons/number_6.png",alt:"number 6"}}),t._v(" If access is granted, "),r("code",[t._v("FilterSecurityInterceptor")]),t._v(" continues with the "),r("RouterLink",{attrs:{to:"/en/architecture.html#servlet-filters-review"}},[t._v("FilterChain")]),t._v(" which allows the application to process normally.")],1)])])])]),t._v(" "),r("p",[t._v("By default, Spring Security’s authorization will require all requests to be authenticated.\nThe explicit configuration looks like:")]),t._v(" "),r("p",[t._v("Example 1. Every Request Must be Authenticated")]),t._v(" "),r("p",[t._v("Java")]),t._v(" "),r("div",{staticClass:"language- extra-class"},[r("pre",{pre:!0,attrs:{class:"language-text"}},[r("code",[t._v("protected void configure(HttpSecurity http) throws Exception {\n\thttp\n\t\t// ...\n\t\t.authorizeRequests(authorize -> authorize\n\t\t\t.anyRequest().authenticated()\n\t\t);\n}\n")])])]),r("p",[t._v("XML")]),t._v(" "),r("div",{staticClass:"language- extra-class"},[r("pre",{pre:!0,attrs:{class:"language-text"}},[r("code",[t._v('<http>\n\t\x3c!-- ... --\x3e\n\t<intercept-url pattern="/**" access="authenticated"/>\n</http>\n')])])]),r("p",[t._v("Kotlin")]),t._v(" "),r("div",{staticClass:"language- extra-class"},[r("pre",{pre:!0,attrs:{class:"language-text"}},[r("code",[t._v("fun configure(http: HttpSecurity) {\n    http {\n        // ...\n        authorizeRequests {\n            authorize(anyRequest, authenticated)\n        }\n    }\n}\n")])])]),r("p",[t._v("We can configure Spring Security to have different rules by adding more rules in order of precedence.")]),t._v(" "),r("p",[t._v("Example 2. Authorize Requests")]),t._v(" "),r("p",[t._v("Java")]),t._v(" "),r("div",{staticClass:"language- extra-class"},[r("pre",{pre:!0,attrs:{class:"language-text"}},[r("code",[t._v('protected void configure(HttpSecurity http) throws Exception {\n\thttp\n\t\t// ...\n\t\t.authorizeRequests(authorize -> authorize                                  (1)\n\t\t\t.mvcMatchers("/resources/**", "/signup", "/about").permitAll()         (2)\n\t\t\t.mvcMatchers("/admin/**").hasRole("ADMIN")                             (3)\n\t\t\t.mvcMatchers("/db/**").access("hasRole(\'ADMIN\') and hasRole(\'DBA\')")   (4)\n\t\t\t.anyRequest().denyAll()                                                (5)\n\t\t);\n}\n')])])]),r("p",[t._v("XML")]),t._v(" "),r("div",{staticClass:"language- extra-class"},[r("pre",{pre:!0,attrs:{class:"language-text"}},[r("code",[t._v('<http> (1)\n\t\x3c!-- ... --\x3e\n\t(2)\n\t<intercept-url pattern="/resources/**" access="permitAll"/>\n\t<intercept-url pattern="/signup" access="permitAll"/>\n\t<intercept-url pattern="/about" access="permitAll"/>\n\n\t<intercept-url pattern="/admin/**" access="hasRole(\'ADMIN\')"/> (3)\n\t<intercept-url pattern="/db/**" access="hasRole(\'ADMIN\') and hasRole(\'DBA\')"/> (4)\n\t<intercept-url pattern="/**" access="denyAll"/> (5)\n</http>\n')])])]),r("p",[t._v("Kotlin")]),t._v(" "),r("div",{staticClass:"language- extra-class"},[r("pre",{pre:!0,attrs:{class:"language-text"}},[r("code",[t._v('fun configure(http: HttpSecurity) {\n   http {\n        authorizeRequests { (1)\n            authorize("/resources/**", permitAll) (2)\n            authorize("/signup", permitAll)\n            authorize("/about", permitAll)\n\n            authorize("/admin/**", hasRole("ADMIN")) (3)\n            authorize("/db/**", "hasRole(\'ADMIN\') and hasRole(\'DBA\')") (4)\n            authorize(anyRequest, denyAll) (5)\n        }\n    }\n}\n')])])]),r("table",[r("thead",[r("tr",[r("th",[r("strong",[t._v("1")])]),t._v(" "),r("th",[t._v("There are multiple authorization rules specified."),r("br"),t._v("Each rule is considered in the order they were declared.")])])]),t._v(" "),r("tbody",[r("tr",[r("td",[r("strong",[t._v("2")])]),t._v(" "),r("td",[t._v("We specified multiple URL patterns that any user can access."),r("br"),t._v('Specifically, any user can access a request if the URL starts with "/resources/", equals "/signup", or equals "/about".')])]),t._v(" "),r("tr",[r("td",[r("strong",[t._v("3")])]),t._v(" "),r("td",[t._v('Any URL that starts with "/admin/" will be restricted to users who have the role "ROLE_ADMIN".'),r("br"),t._v("You will notice that since we are invoking the "),r("code",[t._v("hasRole")]),t._v(' method we do not need to specify the "ROLE_" prefix.')])]),t._v(" "),r("tr",[r("td",[r("strong",[t._v("4")])]),t._v(" "),r("td",[t._v('Any URL that starts with "/db/" requires the user to have both "ROLE_ADMIN" and "ROLE_DBA".'),r("br"),t._v("You will notice that since we are using the "),r("code",[t._v("hasRole")]),t._v(' expression we do not need to specify the "ROLE_" prefix.')])]),t._v(" "),r("tr",[r("td",[r("strong",[t._v("5")])]),t._v(" "),r("td",[t._v("Any URL that has not already been matched on is denied access."),r("br"),t._v("This is a good strategy if you do not want to accidentally forget to update your authorization rules.")])])])]),t._v(" "),r("p",[r("RouterLink",{attrs:{to:"/en/spring-security/authorize-http-requests.html"}},[t._v("Authorize HTTP Requests")]),r("RouterLink",{attrs:{to:"/en/spring-security/expression-based.html"}},[t._v("Expression-Based Access Control")])],1)])}),[],!1,null,null,null);e.default=s.exports}}]);