How to restrict access to html pages based on roles with spring security?

Question

I want the users to have access to html pages based on their role. For example only the ones with HR role should be able to view settings.html page and only those who are managers should see pendingrequest.html.

This is my security configuration:

    @Configuration
    @EnableWebSecurity
    @EnableGlobalMethodSecurity(prePostEnabled = true)
    @Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
    public class SecurityConfig extends WebSecurityConfigurerAdapter {

        @Autowired
        private DatabaseAuthenticationProvider authenticationProvider;


        @Override
        public void configure(WebSecurity web) throws Exception {

            web.ignoring().antMatchers("/js/**", "/css/**", "/img/**");
        }

        @Override
        protected void configure(HttpSecurity http) throws Exception {
            http.formLogin().loginPage("/login").failureUrl("/login").defaultSuccessUrl("/")
                    .and().logout().logoutSuccessUrl("/login")
                    .and().authorizeRequests().antMatchers("/login").permitAll()
                    .antMatchers("/settings.html").hasRole("HR")
                    .antMatchers("/pendingRequests.html").hasRole("MANAGER")
                    .antMatchers("/settings.html","/pendingRequests.html").hasRole("ADMIN")
                    .anyRequest().authenticated().and().csrf().disable();
        }



 @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {

        auth.authenticationProvider(authenticationProvider).eraseCredentials(false);
    }
}

For some reason what I've tried there doesn't work, no matter what role I have I cannot see those pages.

Answer 1

Spring security by default adds ROLE_ prefix to all roles defined in security checks.

You can rename your role names to have ROLE_ prefix or remove that prefix from your configuration ( How do I remove the ROLE_ prefix from Spring Security with JavaConfig? )