I have a spring protected web application configured to restrict access to both URLs and methods. I want to disable it completely by default and let my customers easily enable it if they want (they can only access "spring-security.xml").
I managed to disable URL interception, but my method security is still on ...
Any clue?
(I don’t want the client to change my web.xml, so, unfortunately, changing the global-method-security setting every time is not an option ...)
This is my updated spring -security.xml configuration:
<http auto-config='true' use-expressions="true"> <intercept-url pattern="/**" access="permitAll" /> <http-basic /> <anonymous /> </http>
I overridden the DelegatingFilterProxy.doFilter method as follows:
public void doFilter(ServletRequest request, ServletResponse response, FilterChain filterChain) throws ServletException, IOException { final String springSecured = System.getProperty("springSecured"); if (StringUtils.isNotBlank(springSecured) && springSecured.equalsIgnoreCase("true")) {
and this is an example of the security of the method that I have:
@RequestMapping( value = "applications/{applicationName}/timeout/{timeout}", method = RequestMethod.POST) public @ResponseBody @PreAuthorize("isFullyAuthenticated() and hasPermission(#authGroups, 'deploy')") Object deployApplication() {
source share