Menu
I am trying to secure some urlpattern of my spring boot application (1.21) looks like my antMatchers("/report**").hasRole("REPORT") is ignored. i changed the order of my antMatchers but this changed nothing.
e.g. if I browse to anything like localhost:9000/report/books i need to login and it works only with my username password combination, but i did not set the ROLE REPORT to my user "user". so i would expect that I am not allowed to visit the report site, but the page is shown.
How do I have to change it that only users with the Role REPORT can visit that url?
EDIT1 Updated sourcefiles
Application.java
@SpringBootApplication
@EnableTransactionManagement
public class Application {
public static void main(String[] args) {
@SuppressWarnings("unused")
ApplicationContext ctx = SpringApplication.run(Application.class, args);
}
}
MvcConfig.java
@Configuration
public class MvcConfig extends WebMvcConfigurerAdapter {
@Override
public void addViewControllers(ViewControllerRegistry registry) {
registry.addViewController("/login").setViewName("login");
}
@Bean
public EmbeddedServletContainerCustomizer containerCustomizer(){
return new MyCustomizer();
}
private static class MyCustomizer implements EmbeddedServletContainerCustomizer {
@Override
public void customize(ConfigurableEmbeddedServletContainer factory) {
factory.addErrorPages(new ErrorPage(HttpStatus.NOT_FOUND, "/error/404"));
factory.addErrorPages(new ErrorPage(Exception.class, "/error/exception"));
}
}
@Override
public void addResourceHandlers(ResourceHandlerRegistry registry) {
registry.addResourceHandler("/error/**").addResourceLocations("classpath:/static/");
registry.addResourceHandler("/static/**").addResourceLocations("classpath:/static/");
registry.addResourceHandler("/css/**").addResourceLocations("classpath:/static/css/");
registry.addResourceHandler("/images/**").addResourceLocations("classpath:/static/images/");
registry.addResourceHandler("/js/**").addResourceLocations("classpath:/static/js/");
}
}
WebSecurityConfig.java
@Configuration
@EnableWebMvcSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.sessionManagement().enableSessionUrlRewriting(false);
http
.formLogin()
.loginPage("/login")
.permitAll()
.and()
.logout()
.permitAll()
.and()
.authorizeRequests()
.antMatchers("/").permitAll()
.antMatchers("/report**").hasRole("REPORT")
.anyRequest().fullyAuthenticated();
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth
.inMemoryAuthentication()
.withUser("user").password("user").roles("USER").and()
.withUser("admin").password("admin").roles("ADMIN");
}
}
589
I needed to change the following:
WebSecurityConfig
@Configuration
@EnableWebMvcSecurity
@EnableGlobalMethodSecurity(securedEnabled = true, prePostEnabled = true)
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.sessionManagement().enableSessionUrlRewriting(false);
http
.formLogin()
.loginPage("/login")
.permitAll()
.and()
.logout()
.permitAll()
.and()
.authorizeRequests()
.antMatchers("/").permitAll()
.antMatchers("/report/**").hasRole("REPORT")
.anyRequest().fullyAuthenticated()
.and().exceptionHandling().accessDeniedPage("/error/403");
}
@Override
@Order(Ordered.HIGHEST_PRECEDENCE)
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth
.inMemoryAuthentication()
.withUser("user").password("user").roles("USER").and()
.withUser("admin").password("admin").roles("ADMIN","REPORT");
}
}
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With