Multiple antMatchers in Spring security

by

I believe that the problem is in the order of your rules:

.antMatchers("/admin/**").hasRole("ADMIN")
.antMatchers("/admin/login").permitAll()

The order of the rules matters and the more specific rules should go first. Now everything that starts with /admin will require authenticated user with ADMIN role, even the /admin/login path (because /admin/login is already matched by the /admin/** rule and therefore the second rule is ignored).

The rule for the login page should therefore go before the /admin/** rule. E.G.

.antMatchers("/admin/login").permitAll()
.antMatchers("/admin/**").hasRole("ADMIN")

More Related Contents:

  1. Spring Boot Security CORS
  2. Handle spring security authentication exceptions with @ExceptionHandler
  3. How do I get the Session Object in Spring?
  4. Spring Boot CORS filter – CORS preflight channel did not succeed
  5. Spring Security exclude url patterns in security annotation configurartion
  6. Spring Security 3.2 CSRF support for multipart requests
  7. Spring Security configuration: HTTP 403 error
  8. Spring + Web MVC: dispatcher-servlet.xml vs. applicationContext.xml (plus shared security)
  9. getting exception: No bean named ‘springSecurityFilterChain’ is defined
  10. An Authentication object was not found in the SecurityContext – Spring 3.2.2
  11. Spring Security 3.2 CSRF disable for specific URLs
  12. With Spring Security 3.2.0.RELEASE, how can I get the CSRF token in a page that is purely HTML with no tag libs
  13. Looking for a Simple Spring security example [closed]
  14. Spring security 4 custom login j_spring_security_check return http 302
  15. Is it possible to invalidate a spring security session?
  16. Spring 3 RequestMapping: Get path value
  17. No WebApplicationContext found: no ContextLoaderListener registered?
  18. ApplicationContextException: Unable to start ServletWebServerApplicationContext due to missing ServletWebServerFactory bean
  19. Can SpringMVC be configured to process all requests, but exclude static content directories?
  20. can I include user information while issuing an access token?
  21. automatically add header to every response
  22. Auto login after successful registration
  23. No Spring WebApplicationInitializer types detected on classpath
  24. Spring MVC @RestController and redirect
  25. java.lang.IllegalArgumentException: A ServletContext is required to configure default servlet handling
  26. Spring REST security – Secure different URLs differently
  27. Custom Authentication Manager with Spring Security and Java Configuration
  28. SPRING REST: The request was rejected because no multipart boundary was found
  29. How to apply Spring Data projections in a Spring MVC controllers?
  30. Custom Authentication provider with Spring Security and Java Config

Leave a Comment