I've been using Spring Security today for registration / login and still getting to grips with it.
My configuration is:
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/**").permitAll()
.antMatchers("/login").permitAll()
.antMatchers("/registration").permitAll()
.antMatchers("/viewGamers").permitAll()
.antMatchers("/gameLibrary").permitAll()
.antMatchers("/admin/**").hasAuthority("ADMIN").anyRequest()
.authenticated().and().csrf().disable().formLogin()
.loginPage("/login").failureUrl("/login?error=true")
.defaultSuccessUrl("/gamer/home")
.usernameParameter("email")
.passwordParameter("password")
.and().logout()
.logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
.logoutSuccessUrl("/").and().exceptionHandling()
.accessDeniedPage("/access-denied");
}
from this I read that if you go to /admin/anything you MUST have an ADMIN role assigned to you. Is that correct?
I've no logic checks in the controllers that handle it and was a little surprised when a generic non-admin role user was able to go to the /admin/home page.
I've added a new role in the DB, ensured this user has that role associated to it, yet it can still access the admin page, is this correct?
I've run some printlns and can confirm the roles are correct. Have I made a mistake in the config or do I need the additional logic of if (user.role != "Admin") { send elsewhere } in the admin/home controller?
Thanks in advance.
