0

I use SpringLemon for my project. I would like to customize authorizeRequests method so that any request that starts with "/xyz" is only accessible for authenticated users. ("/xyz/abc", /xyz/def", "xyz/ghi/jkl", etc.) In order to do this, I made my own class extending LemonWebSecurityConfig class, and made it a configuration class. I've overridden authorizeRequests method to look like this: 

@Override
    protected void authorizeRequests(HttpSecurity http) throws Exception {
        http.authorizeRequests()
            .mvcMatchers("/xyz/**").authenticated()
            .mvcMatchers("/**").permitAll();                  
    }

As I tested it, it worked for those "/xyz" URLs (got 403 without authentication), "/api/core/context" gave me "200", but the "/api/core/login" URL always gave me 404. It responses with 404 even if I don't override authorizeRequests method and I only have the empty Configuration class. What am I missing?

Siriann
  • 405
  • 1
  • 6
  • 16

1 Answers1

1

Actually I extended a wrong class. Using the right class (as it is seen in lemon-demo-jpa) it works perfectly: 

@Component
public class MySecurityConfig extends LemonJpaSecurityConfig {

    @Override
    protected void authorizeRequests(HttpSecurity http) throws Exception {
        http.authorizeRequests()
            .mvcMatchers("/xyz/**").authenticated();
        super.authorizeRequests(http);
    }
}
Siriann
  • 405
  • 1
  • 6
  • 16