Method from an HttpServletRequest?WebSecurityConfig based on @Secured annotations rather than paths?I have a Spring MVC server using @Secured annotations to specify the required roles for each controller method - they do not map easily onto path patterns.
Certain roles are granted via specific authentication methods (e.g. x509, Basic realm A, Basic realm B, Bearer token).
When the caller is not authenticated, the WWW-Authenticate header should not suggest things that do not grant the required roles for the method.
I thought the easiest way to do this was to have the HttpSecurity configured with all possible authentication methods and to permitAll(), delegating all the checks to the method security. However, I can only define one AuthenticationEntryPoint for the chain when this fails.
Thus I need to implement an AuthenticationEntryPoint whose behaviour depends on the roles required, but I have been unable to find a way to get that information within the commence method - there appear to be no methods or attributes detailing the mapped Method (from which I could inspect the annotations) or the required roles (in either the request object or the InsufficientAuthenticationException).
For the same reasons, a DelegatingAuthenticationEntryPoint won't work, as I can't get at these things in a RequestMatcher either.
Is there a bean floating around that will let me easily get hold of this information?
Am I even on the right track to solving the problem?
How do I get the mapped Method from an HttpServletRequest
Method method = ((HandlerMethod) ((ApplicationContext) request
.getAttribute(DispatcherServlet.WEB_APPLICATION_CONTEXT_ATTRIBUTE))
.getBean("requestMappingHandlerMapping", HandlerMapping.class)
.getHandler(request)
.getHandler())
.getMethod();
There's also a getMethodAnnotation(Class) on HandlerMethod to skip a step.
From there you can get the details of the @Secured annotations and find out what the required roles are.