I have implemented Spring Security Expression in my application Spring controller:
@Controller
@RequestMapping("init")
public class InitController {
@PreAuthorize("hasRole('ROLE_ADMIN')")
@RequestMapping(value = "/", method = RequestMethod.GET)
public @ResponseBody String home(){
return "This is the init page";
}
}
With this security configuration:
<http auto-config="true" create-session="stateless" use-expressions="true">
<intercept-url pattern="/_ah*" access="permitAll" />
<intercept-url pattern="/init/*" access="hasRole('ROLE_ADMIN')"/>
<intercept-url pattern="/init*" access="hasRole('ROLE_ADMIN')"/>
</http>
When this resource is accessed the the default Spring login form is displayed (http://localhost:8888/spring_security_login
) however I don't want this to happen and that I just want to have the credentials to be inserted in the request header like "x-authorization-key" or whatever that fits the scenario.
What is the possible solution for this?
- Is it a good to just have the x-authorization-key to be in the request
- If so, how does it fit with the Spring security mechanism, that is how that it fit with the "hasRole" expression
- It is important the the my web service is stateless, and each request gets authenticated
- Finally, how to do deal with Spring security without having to deal with the Spring login form
header
See Question&Answers more detail:
os 与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…