JHipster: Enable anonymous users to read entity, but not update?

I have generated a JHipster application using these values:

{
  "generator-jhipster": {
    "jhipsterVersion": "3.1.0",
    "baseName": "app",
    "packageName": "my.app",
    "packageFolder": "my/app",
    "serverPort": "8080",
    "authenticationType": "session",
    "hibernateCache": "ehcache",
    "clusteredHttpSession": "no",
    "websocket": "no",
    "databaseType": "sql",
    "devDatabaseType": "h2Disk",
    "prodDatabaseType": "mysql",
    "searchEngine": "elasticsearch",
    "buildTool": "gradle",
    "enableSocialSignIn": false,
    "rememberMeKey": "",
    "useSass": true,
    "applicationType": "monolith",
    "testFrameworks": [],
    "jhiPrefix": "jhi",
    "enableTranslation": false
  }
 }

I would like to allow anonymous users to view an entity, but not update or delete that entity. I have tried editing the generated SecurityConfiguration.java file to add permitAll(HttpMethod.GET,"/**") for authorizeRequests() in the configure(HttpSecurity http) method. I still get directed to accessdenied when trying to access the entity.

Has anyone addressed this use case before?

This is for AngularJS 1.x

For accessing the resources: in SecurityConfiguration.java in configure(HttpSecurity http) method

    .and()
        .authorizeRequests()
        .antMatchers(HttpMethod.GET, "/api/**").permitAll()

For accessing the angular views/states: for each entity, comment out or remove the authorities property for read-only states. Below an example for Book entity in src/main/webapp/app/entities/book/book.state.js:

    .state('book', {
        parent: 'entity',
        url: '/book',
        data: {
            // authorities: ['ROLE_USER'],
            pageTitle: 'monoApp.book.home.title'
        },
        ....
    })
    .state('book-detail', {
        parent: 'entity',
        url: '/book/{id}',
        data: {
            // authorities: ['ROLE_USER'],
            pageTitle: 'monoApp.book.detail.title'
        },

However, pay attention to 2 things:

By using such a pattern in SecurityConfiguration, you also expose your users at /api/users. It would be safer to add a permitAll() per entity so that you keep full control on what you expose (whitelist approach)
The user experience is poor as you still expose buttons for adding or deleting entities. So you could hide them with ng-hide

来源：https://stackoverflow.com/questions/36899967/jhipster-enable-anonymous-users-to-read-entity-but-not-update

标签

java

spring-security

jhipster