0

I have implemented spring security in my application. It is stateless-token based authentication and username/password based authentication.

I have configured user authentication, but the role-based authorisation is not working.

A user who has ROLE_USER is able to access the controller method which has ROLE_ADMIN.

Here is the configuration.

@EnableWebSecurity 
@EnableGlobalMethodSecurity(securedEnabled = true)
@Configuration 
public class SpringSecurityConfiguration extends WebSecurityConfigurerAdapter{

    @Bean
    AuthenticationProvider passwordBasedAuthenticationProvider() {
        return new PasswordBasedAuthenticationProvider();
    }

    @Bean
    AuthenticationProvider tokenBasedAuthenticationProvider(){
        return new TokenBasedAuthenticationProvider();
    }   

    @Override
    public void configure(WebSecurity web) throws Exception {        
         web.ignoring().antMatchers("/api/v1/public/**");
    }

    @Bean
    @Override
    public AuthenticationManager authenticationManagerBean() throws Exception {
        return super.authenticationManagerBean();
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
         http.
         csrf().disable().
         sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).
         and().
         authorizeRequests().
         anyRequest().authenticated().
         and().
         anonymous().disable();   
         http.addFilterBefore(new AuthenticationFilter(authenticationManager()), BasicAuthenticationFilter.class);
    }

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        auth.authenticationProvider(passwordBasedAuthenticationProvider()).
            authenticationProvider(tokenBasedAuthenticationProvider());
    }
}

DOMAINS

@Entity
public class Role implements GrantedAuthority  {
    private long id;    
    private String authority;
}

public class User implements UserDetails{
     private String username;
     private String passwordHash;
     private Role role;
}

@RestController 
public class TesController {
    @RequestMapping(value="/authController")
    @Secured("ROLE_ADMIN")
    String test(){ return "I am secure for ROLE_ADMIN"}
}

What is incorrect about this configuration?

Stewart
  • 17,616
  • 8
  • 52
  • 80
R. S.
  • 402
  • 5
  • 17
  • Nothing in your configuration actually mentions either `ROLE_USER` or `ROLE_ADMIN`. I'm only used to using the XML config. Where are roles supposed to be defined, so that `TesController` can actually pick them up? – Stewart May 27 '16 at 19:53
  • If you change your `configure` method by adding `.antMatchers("/authController").access("hasRole('ADMIN')")` the situation is the same? – lenach87 May 27 '16 at 20:53

1 Answers1

0

You have to define at least the RoleHierarchie with something like this or whatever the configuration may look like in your case:

@Bean
public RoleHierarchy roleHierarchy() {
  RoleHierarchyImpl r = new RoleHierarchyImpl();
  r.setHierarchy("ROLE_ADMIN > ROLE_STAFF");
  r.setHierarchy("ROLE_STAFF > ROLE_USER");
  r.setHierarchy("ROLE_DEVELOPER > ROLE_USER");
  r.setHierarchy("ROLE_USER > ROLE_GUEST"); 
  return r;
}
Xemnas90
  • 1
  • 1
  • http://stackoverflow.com/questions/6357579/spring-security-with-roles-and-permissions – V33R May 27 '16 at 20:37