How to enable spring security for particular url

Question

im using spring security and my config is

@Override
protected void configure(HttpSecurity http) throws Exception {
    http.
        authorizeRequests()
            .antMatchers("/**").permitAll()
            .antMatchers("/admin/**").hasAuthority("ADMIN").anyRequest().authenticated()
            .and().csrf().disable().formLogin().loginPage("/adminlogin").failureUrl("/adminlogin?error=true")
            .defaultSuccessUrl("/admin/dashboard")
            .usernameParameter("email")
            .passwordParameter("password")
            .and().logout()
            .logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
            .logoutSuccessUrl("/adminlogin?logout=true").and().exceptionHandling()
            .accessDeniedPage("/accessdenied");
}

now what i am trying to achieve that all links are accessible without any security but link start with /admin/** only allow to user with role "admin".

but rite now it allow /admin/** to everyone.

any suggestions.

i have tried many solutions from stackoverflow i.e How to fix role in Spring Security? but no luck. the behavior remains same,it allows even /admin/ urls to use publicly.

Possible duplicate of [How to fix role in Spring Security?](https://stackoverflow.com/questions/43052745/how-to-fix-role-in-spring-security) — dur, May 21 '18 at 20:59

score 0 · Answer 1 · answered May 21 '18 at 12:18

0

Why not try role?

@Configuration
@EnableWebSecurity
public class SecSecurityConfig extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
          .authorizeRequests()
          .antMatchers("/admin/**").hasRole("ADMIN");
    }
   }

ref : http://www.baeldung.com/spring-security-expressions-basic

answered May 21 '18 at 12:18

Sheetal Mohan Sharma

2,908
1
23
24

i have tried this but no luck , the behavior remains same. – M Hamza Javed May 22 '18 at 07:34
Did u debug which line it fails ?Change the order or remove this .antMatchers("/**").permitAll() and add line by line conditions – Sheetal Mohan Sharma May 22 '18 at 08:43

score 0 · Accepted Answer · answered May 24 '18 at 10:39

http
    .csrf().disable()      
    .httpBasic().and()
    .authorizeRequests()
        .antMatchers("/admin/**").hasAuthority("ADMIN")
        .antMatchers("/**").permitAll()
        .anyRequest().authenticated()
        .and()
    .formLogin()
    .loginPage("/adminLogin").failureUrl("/adminLogin?error=true")
    .defaultSuccessUrl("/admin/dashboard")
    .usernameParameter("email")
    .passwordParameter("password")
    .and().logout()
    .logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
    .logoutSuccessUrl("/adminLogin?logout=true").and().exceptionHandling()
    .accessDeniedPage("/accessdenied");

works perfectly for me.

How to enable spring security for particular url

2 Answers2