Spring Security custom method with path variable a

2020-07-05 06:40发布

问题:

I am using spring boot, web MVC and spring security with java configuration. My URLs are 'RESTful' and would like to add custom authorisation methods.

For Example:

.antMatchers("/path/*/**").access("@myBean.authorise()")

I want to achieve something like this:

.antMatchers("/path/{token}/**").access("@myBean.authorise(token)")

I understand that I can pass in the HttpServletRequest and manually strip the path, but would like to avoid this! Also not too keen on method level security, would rather keep the config in one place as I have many controllers.

Thanks!

回答1:

You can access path variables, just prefix them with #. In your case, the correct syntax would be:

.antMatchers("/path/{token}/**").access("@myBean.authorise(#token)")

I'm not sure when this was introduced, but I know it is now supported. Reference: https://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#el-access-web-path-variables