How to fix role in Spring Security?

by

Your first matcher anyRequest() is always applied, because the order of matchers is important, see HttpSecurity#authorizeRequests:

Note that the matchers are considered in order. Therefore, the following is invalid because the first matcher matches every request and will never get to the second mapping:

http.authorizeRequests().antMatchers("/**").hasRole("USER").antMatchers("/admin/**")
            .hasRole("ADMIN")

Your modified and simplified configuration:

@Override
protected void configure(HttpSecurity http) throws Exception {
    http
        .csrf().disable()      
        .httpBasic()
            .and()
        .authorizeRequests()
            .antMatchers("/users/all").hasRole("admin")
            .anyRequest().authenticated()
            .and()
        .formLogin()
            .and()
        .exceptionHandling().accessDeniedPage("/403");
}

More Related Contents:

  1. Spring Security : Multiple HTTP Config not working
  2. Filter invoke twice when register as Spring bean
  3. Spring security CORS Filter
  4. How to create custom methods for use in spring security expression language annotations
  5. When using Spring Security, what is the proper way to obtain current username (i.e. SecurityContext) information in a bean?
  6. Configuring Spring Security 3.x to have multiple entry points
  7. How to disable spring security for particular url
  8. Difference between Role and GrantedAuthority in Spring Security
  9. Disable Spring Security for OPTIONS Http Method
  10. How to disable ‘X-Frame-Options’ response header in Spring Security?
  11. How to enable HTTP response caching in Spring Boot
  12. RESTful Authentication via Spring
  13. HttpSecurity, WebSecurity and AuthenticationManagerBuilder
  14. Spring webSecurity.ignoring() doesn’t ignore custom filter
  15. Multiple WebSecurityConfigurerAdapter in spring boot for multiple patterns
  16. Unit testing with Spring Security
  17. spring web, security + web.xml + mvc dispatcher + Bean is created twice
  18. Spring Security, secured and none secured access
  19. Spring Security 5 : There is no PasswordEncoder mapped for the id “null”
  20. Spring Security multiple url ruleset not working together
  21. JAAS for human beings
  22. How to use new PasswordEncoder from Spring Security
  23. Spring security added prefix “ROLE_” to all roles name?
  24. Why this Spring application with java-based configuration don’t work properly
  25. How do I disable resolving login parameters passed as url parameters / from the url
  26. Spring REST security – Secure different URLs differently
  27. What does Cookie CsrfTokenRepository.withHttpOnlyFalse () do and when to use it?
  28. disabling spring security in spring boot app [duplicate]
  29. Disabling a filter for only a few paths
  30. Custom Authentication Manager with Spring Security and Java Configuration

Leave a Comment