I know its possible to add a @PreAuthorize annotation to a Rest Controller...
@RestController
public class WebController {
@PreAuthorize("hasAuthority('Foo')")
@GetMapping("/restricted")
public ResponseEntity<String> restricted() {
return ResponseEntity.ok("Restricted section");
}
}
How can one preauthorize access to a Spring Integration Http.inbound gateway? I know I could add in a component to the Integration flow and add the annotation on a transformer or service activator method but I'd rather not have a separate object for that.
@Bean
//@PreAuthorize("hasAuthority('Foo')") ?
public HttpRequestHandlingMessagingGateway restrictedGateway() {
return Http.inboundGateway("/restricted")
...
.get();
}
@Bean
public IntegrationFlow myFlow(HttpRequestHandlingMessagingGateway restrictedGateway) {
return IntegrationFlows
.from(restrictedGateway)
.transform(source -> "Restricted section")
.get();
}
I think you are right by looking at https://docs.spring.io/spring-integration/reference/html/security.htm where it allows channel to be declared @Secured
Even if we think about spring security on a normal spring boot app without integration, it is at filter level so it seems to make sense as I consider HttpRequestHandlingMessagingGateway as a listener for http requests
Can you try
@Bean
@SecuredChannel(interceptor = "channelSecurityInterceptor", sendAccess = "ROLE_XXX")
public SubscribableChannel secureChannel() {
return new DirectChannel();
}
@Bean
public IntegrationFlow myFlow(HttpRequestHandlingMessagingGateway
restrictedGateway) {
return IntegrationFlows
.from(restrictedGateway)
.channel(secureChannel())
.transform(source -> "Restricted section")
.get();
}