I'm setting up a new Java application using oData and ServletRegistrationBean. I'd like to disable the option of receiving POST request and to allow only GET requests.
Where should I set it up? Can I create kind of a whitelist/blacklist?
ServletRegistrationBean odataServRegstration = new ServletRegistrationBean(new CXFNonSpringJaxrsServlet(), "/odata/*");
Map<String, String> initParameters = new HashMap<>();
initParameters.put("javax.ws.rs.Application", "org.apache.olingo.odata2.core.rest.app.ODataApplication");
initParameters.put("org.apache.olingo.odata2.service.factory", "com.sap.context.JPAServiceFactory");
odataServRegstration.setInitParameters(initParameters);
return odataServRegstration;
In spring Security you can easily configure that for example only users of role admin are able to make non GetRequests. I will provide an example soon unless you find it on the net before that. Other unseres will receive a 403.
A minimalistic example would be:
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.authorizeRequests()
.antMatchers(HttpMethod.POST, "/**").hasRole("ADMIN")
.antMatchers("/**").hasAnyRole("ADMIN","USER")
.and()
.httpBasic()
;
}
Pay attention to .antMatchers(HttpMethod.POST, "/**").hasRole("ADMIN").