1

In a class who extends WebSecurityConfigurerAdapter I have this code to add security by url for different role.

    http.authorizeRequests().antMatchers(HttpMethod.GET, "/rest/setup/defaultpassword/**").hasRole("USER");
    http.authorizeRequests().antMatchers(HttpMethod.GET, "/rest/setup/commerces/**").hasRole("USER");
    http.authorizeRequests().antMatchers(HttpMethod.GET, "/rest/setup/tax").hasRole("USER");

    http.authorizeRequests().antMatchers("/rest/setup/tax").hasRole("ADMIN");
    http.authorizeRequests().antMatchers("/login").permitAll(); //
    http.authorizeRequests().antMatchers("/rest/**").authenticated();
    http.csrf().disable();
    http.exceptionHandling().authenticationEntryPoint(authenticationEntryPoint);

    http.formLogin().successHandler(authenticationSuccessHandler);
    http.formLogin().failureHandler(authenticationFailureHandler);
    http.logout().logoutUrl("/logout");
    http.logout().logoutSuccessUrl("/");

When I log with a user role, I can access: /rest/setup/tax

When I log with a admin role, I can access /rest/setup/tax

http://localhost:8080/rest/setup/tax 403 (Forbidden)

i search to provide only the get for user role and everything for admin one.

bernard deromme
  • 151
  • 2
  • 3
  • 19

1 Answers1

0

Table AUTHORITIES will have two columns like username, authority and the role specified in column authority should be with prefix ROLE_ e.g. ROLE_ADMIN & ROLE_USER. Therefore your code should specify hasRole("ROLE_USER") and hasRole("ROLE_ADMIN")

UPDATE:

  1. RoleVoter.java

https://github.com/spring-projects/spring-security/blob/master/core/src/main/java/org/springframework/security/access/vote/RoleVoter.java

  1. SO for similar issue on ROLE_ prefix

Spring security added prefix "ROLE_" to all roles name?

Community
  • 1
  • 1
Ravindran Kanniah
  • 530
  • 3
  • 10
  • hasRole([role]) doc said: hasRole Returns true if the current principal has the specified role. By default if the supplied role does not start with 'ROLE_' it will be added. This can be customized by modifying the defaultRolePrefix on doc DefaultWebSecurityExpressionHandler. – bernard deromme Jul 24 '16 at 13:01
  • Bernard, we implemented `Spring Security 4.0.1.RELEASE` and had similar issue when role without ROLE_ prefix was specified. The reason being RoleVoter class using prefix ROLE_. I suggest to read the update link above. Note: you can also eliminate the ROLE_ prefix but I wouldn't recommend it. – Ravindran Kanniah Jul 25 '16 at 14:08
  • Sorry, just a minor correction. The above should read "we implemented our project using `Spring Security 4.0.1.RELEASE`". – Ravindran Kanniah Jul 25 '16 at 16:55
  • funny I add ROLE_ application don't start. complete error: justpaste.it/wn96 with 4.04 don't seem to work. – bernard deromme Jul 26 '16 at 00:45
  • Bernard, I don't know how to help you. You may give the github sample on `Spring-Security` a try at https://github.com/spring-projects/spring-security/tree/master/samples. It might help you to provide some insight. – Ravindran Kanniah Jul 26 '16 at 03:43
  • Just another thought, we also have something like this to link to the login page `http.authorizeRequests().anyRequest().authenticated().and().formLogin().loginPage("/login.html") .loginProcessingUrl("/login").permitAll().and().logout().logoutSuccessUrl("/")` – Ravindran Kanniah Jul 26 '16 at 04:03
  • i posted on github in the spring security.... wait an answer.... seem a basic case... – bernard deromme Aug 05 '16 at 15:32