Menu
I have this code in my Web Security Config:
@Override protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests() .antMatchers("/api/**") .hasRole("ADMIN") .and() .httpBasic().and().csrf().disable(); } So I added an user with "ADMIN" role in my database and I always get 403 error when I tryed loggin with this user, then I enabled log for spring and I found this line:
2015-10-18 23:13:24.112 DEBUG 4899 --- [nio-8080-exec-1] o.s.s.w.a.i.FilterSecurityInterceptor : Secure object: FilterInvocation: URL: /api/user/login; Attributes: [hasRole('ROLE_ADMIN')] Why Spring Security is looking for "ROLE_ADMIN" instead "ADMIN"?
418
The antMatchers() is a Springboot HTTP method used to configure the URL paths from which the Springboot application security should permit requests based on the user's roles. The antmatchers() method is an overloaded method that receives both the HTTP request methods and the specific URLs as its arguments.
Spring security adds the prefix "ROLE_" by default.
If you want this removed or changed, take a look at
How to change role from interceptor-url?
EDIT: found this as well: Spring Security remove RoleVoter prefix
73
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
