Allow access to url pattern only for a specific role in spring security

Question

I'm trying to allow only users that have role 'ADMIN' to access following endpoints:

../adminconfig/* (those that have 'adminconfig' in the url)

Here is my configuration:

@SpringBootApplication
@EnableWebSecurity
@RestController
public class BootApplication extends WebSecurityConfigurerAdapter {


    public static void main(String[] args) {
        SpringApplication.run(BootApplication.class, args);
    }

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        auth
                .inMemoryAuthentication()
                .withUser("user").password("{noop}1").roles("USER").and()
                .withUser("admin").password("{noop}1").roles("ADMIN");
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception{

        http
                .authorizeRequests()

                .anyRequest().authenticated()
                .antMatchers("/adminconfig/**").hasRole("ADMIN")
                .and()
                .formLogin().and()
                .httpBasic();
    }

}

But still i can access them with any other user, for example with 'USER' role. What am i doing wrong?

Possible duplicate of [How to fix role in Spring Security?](https://stackoverflow.com/questions/43052745/how-to-fix-role-in-spring-security) — dur, Jul 24 '18 at 17:52

score 0 · Answer 1 · answered Jul 24 '18 at 14:36

0

Found the solution. I had to move antMatchers().. above the .anyRequest().authenticated() :

            .antMatchers("/adminconfig/**").hasRole("ADMIN")
            .anyRequest().authenticated()

answered Jul 24 '18 at 14:36

sergey

1
1

Allow access to url pattern only for a specific role in spring security

1 Answers1