Feb 11th, 2013, 07:19 AM
Spring Security disregard my basic auth unless I specify access role
Using Spring 3.1.2 and RestEasy 2.3.4.
I've got some REST resources. However, I don't want to specify in Spring what roles are needed for all of them. This is my current setup:
<security:http auto-config="true" use-expressions="true">
<security:intercept-url pattern="/secrets/**" access="ROLE_USER"/>
Calls to '/secret/\*\*' gets authenticated and I can access the user and roles from the SecurityContextHolder-object. Calls to '/\*\*' however don't get authenticated even though I pass basic credentials. I want to authorise internally based on data being loaded and not by the URLs.
It seem that Spring Security disregard my basic auth unless I specify access. Is that correct? Is there any way around it?
Feb 11th, 2013, 07:57 AM
You have to specify access rules to have authentication to be applied if you don't specify anything basically every requests matches. Simply specify an access rule as AUTHENTICATED_FULLY which will trigger the process and after that you can simply do the checks yourself.