Method
from an HttpServletRequest
?WebSecurityConfig
based on @Secured
annotations rather than paths?I have a Spring MVC server using @Secured
annotations to specify the required roles for each controller method - they do not map easily onto path patterns.
Certain roles are granted via specific authentication methods (e.g. x509, Basic realm A, Basic realm B, Bearer token).
When the caller is not authenticated, the WWW-Authenticate header should not suggest things that do not grant the required roles for the method.
I thought the easiest way to do this was to have the HttpSecurity configured with all possible authentication methods and to permitAll()
, delegating all the checks to the method security. However, I can only define one AuthenticationEntryPoint
for the chain when this fails.
Thus I need to implement an AuthenticationEntryPoint
whose behaviour depends on the roles required, but I have been unable to find a way to get that information within the commence
method - there appear to be no methods or attributes detailing the mapped Method
(from which I could inspect the annotations) or the required roles (in either the request
object or the InsufficientAuthenticationException
).
For the same reasons, a DelegatingAuthenticationEntryPoint
won't work, as I can't get at these things in a RequestMatcher
either.
Is there a bean floating around that will let me easily get hold of this information?
Am I even on the right track to solving the problem?
How do I get the mapped Method from an HttpServletRequest
Method method = ((HandlerMethod) ((ApplicationContext) request
.getAttribute(DispatcherServlet.WEB_APPLICATION_CONTEXT_ATTRIBUTE))
.getBean("requestMappingHandlerMapping", HandlerMapping.class)
.getHandler(request)
.getHandler())
.getMethod();
There's also a getMethodAnnotation(Class)
on HandlerMethod
to skip a step.
From there you can get the details of the @Secured
annotations and find out what the required roles are.