Configure Spring HTTP Security at Runtime

Question

Configure Spring HTTP Security at Runtime

All http protection is applied at startup:

protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests() .antMatchers("/admin/**").hasRole("admin") }

At runtime, I try to add even more to it ...

 applicationContext.getBean(WebSecurityConfigurerAdapter).http.authorizeRequests().antMatchers("bla").hasRole("admin")

When this line is executed, it adds it to http.authorizeRequests (), but / bla is still accessible using "non admins"

When the server restarts, this change takes effect as it loads bla from the database.

How to make protection immediately effective without rebooting the server?

+6

spring spring-security

Matthew Struensee Nov 07 '16 at 16:05

source share

1 answer

Issam EL-ATIF · Answer 1 · 2016-11-07T16:15:40+0000

You are trying to dynamically change the spring bean at run time, which is very difficult to do if you are not using tools such as spring -loaded or JRebel. Much has been said about this:

The best approach (in my opinion) for your use case is to use spring profiles.
Define a bean with permissions for / bla and another bean without. Then use them in different profiles.

see dynamically declare beans at run time in Spring

Configure Spring HTTP Security at Runtime

More articles: