Spring security authenticate user to enter admin

Question

I am using spring security to authenticate users.

AdminController.java

@Controller
@Secured("ROLE_ADMIN")
public class AdminController {

     @RequestMapping("/list")
    public ModelAndView listProductController(@ModelAttribute("pForm") Product product, ModelMap model)
    {

         return new ModelAndView("list", model);
    }
}

I the above code, I want only admins can visit the url http://localhost/Pgga/list, but even without login, I am able to visit this page.

spring-security.xml

<beans:beans xmlns="http://www.springframework.org/schema/security"
    xmlns:beans="http://www.springframework.org/schema/beans" 
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans
    http://www.springframework.org/schema/beans/spring-beans.xsd
    http://www.springframework.org/schema/security
    http://www.springframework.org/schema/security/spring-security.xsd">

    <global-method-security secured-annotations="enabled" />

    <!-- enable use-expressions -->
    <http auto-config="true" use-expressions="true">
    <intercept-url pattern="/admin*" access="ROLE_ADMIN" />

        <!-- access denied page -->
        <access-denied-handler error-page="/403" />
        <form-login 
            login-page="/login"
            login-processing-url="/login.do"
            default-target-url="/index"
            authentication-failure-url="/login?error" 
            username-parameter="emailID"
            password-parameter="password" />
        <logout 
            logout-success-url="/login?logout"
            delete-cookies="JSESSIONID"
            invalidate-session="true" />
        <csrf/>
    </http>

    <authentication-manager>
        <authentication-provider user-service-ref="userAuthenticationProvider">
            <password-encoder hash="plaintext" />
        </authentication-provider>
    </authentication-manager>

</beans:beans>

How can I allow only admins to enter admin area?

I think, intercept-url pattern="/admin*" is incorrect, can you try pattern="/**", as this pattern defines the URL path — Atul Kumbhar, Mar 11 '16 at 04:26
@HarshitShrivastava Can you just put 'ADMIN' instead of 'ROLE_ADMIN'? — Keerthivasan, Mar 11 '16 at 04:55

score 1 · Answer 1 · answered Mar 11 '16 at 04:38

1

use hasRole('admin') or set use-expressions="false"....

answered Mar 11 '16 at 04:38

Girish Bhat M

392
3
13

Now the page gets redirected to `login` & loads infinitely. – Harshit Mar 11 '16 at 04:40
If user is not authenticated then it redirects to login page only. Please make sure authentication is done.This may help you http://stackoverflow.com/questions/28459446/unable-to-validate-role-in-spring-security-for-url-pattern – Girish Bhat M Mar 11 '16 at 04:48
Even login page gets redirected to itself, so it is going inside infinite loop. – Harshit Mar 11 '16 at 05:50

score 1 · Answer 2 · answered Mar 11 '16 at 06:41

Login redirecting to itself because you set:

login-page="/login"

And it keep redirect to user page because spring know the /login its the login page but don't have access to use it, so add this :

<intercept-url pattern="/login" access="permitAll()" />

to make sure the login page is permitted and can give access or assign role to the authenticated user.

Spring security authenticate user to enter admin

2 Answers2