EDIT 5
Silly me, the ADMIN was not recognized 'cause I wrote the authoritiesByUsernameQuery query wrong: so if you have the same problem check this out. Now configure in working: here code for example
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/admin", "/admin/user").access("hasRole('ADMIN')") /**only ADMIN can see those pages**/
.antMatchers("/page*").access("hasRole('USER')") /**only the users can see all the pages that start with 'page'**/
.anyRequest().permitAll() /**all the other pages can seen by anyone**/
.and()
.formLogin()
.loginPage("/login")
.permitAll()
.and()
.exceptionHandling().accessDeniedPage("/403")
.and()
.logout().logoutSuccessUrl("/login?logout")
.and()
.csrf();
}
EDIT 4
If I wrote
${pageContext.request.isUserInRole('ADMIN')}
or
${pageContext.request.isUserInRole('USER')}
in my jsp it give it show "false", so it's not recognizing the roles. But why?
EDIT 3
Ok, now I have a new problem (plus the previous one): how can I permit access to everyone to some pages? Otherwise no user could subscribe.
EDIT 2
I edited the code again, following dur suggestion:
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/admin", "/admin/users").access("hasRole('ADMIN')")
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/login")
.permitAll()
.and()
.exceptionHandling().accessDeniedPage("/403")
.and()
.logout().logoutSuccessUrl("/login?logout")
.and()
.csrf();
}
but it's still not working (the admin is not recognized and can't access to his pages). So, I don't think it's a problem only of the RULE_ADMIN.
In my database (postgres) I have created the tables like this:
CREATE TABLE public.utenti
(
username character varying(45) NOT NULL,
password character varying(45) NOT NULL,
abilitazione boolean NOT NULL DEFAULT true,
email character varying(45) NOT NULL,
CONSTRAINT username PRIMARY KEY (username)
)
CREATE TABLE public.ruoli_utente
(
user_role_id integer NOT NULL DEFAULT nextval('ruoli_utente_user_role_id_seq'::regclass),
username character varying(45) NOT NULL,
ruolo character varying(45) NOT NULL,
CONSTRAINT user_role_pk PRIMARY KEY (user_role_id),
CONSTRAINT username_fk FOREIGN KEY (username)
REFERENCES public.utenti (username) MATCH SIMPLE
ON UPDATE NO ACTION ON DELETE NO ACTION
)
It's possible that authoritiesByUsernameQuery method didn't recognize the role column because it's called differently? If so, why usersByUsernameQuery recognize enabled users, since I called the column 'abilitazione' instead of 'enabled'?
EDIT
Maybe I'm starting understanding, I've changed my method like this:
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/hello").access("hasRole('ROLE_ADMIN')")
.anyRequest().permitAll()
.and()
.formLogin()
.loginPage("/login")
.usernameParameter("username")
.passwordParameter("password")
.and()
.logout()
.logoutSuccessUrl("/login?logout")
.and()
.exceptionHandling()
.accessDeniedPage("/403")
.and()
.csrf();
}
but it doesn't recognize the admin user.
I'm following this guide to add security in my Spring Boot web application.
I'm having a problem in the configure method inside my security class, and it's hard to me to understand how solve it searching online.
What I want to do is permit the access at all the pages if the user is authenticated, excepts for the admin page.
This is what I wrote:
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/adminPage").access("hasRole('ROLE_ADMIN')");
http
.authorizeRequests()
.anyRequest().authenticated();
http
.formLogin()
.loginPage("/login")
.usernameParameter("username")
.passwordParameter("password")
.and()
.logout()
.logoutSuccessUrl("/login?logout")
.and()
.exceptionHandling()
.accessDeniedPage("/403")
.and()
.csrf();
}
but it's not working, and I can't understand why/how should I do, neither I'm finding the solution online (or it's not working/I don't understand it).
