Users are able to access all endpoints after setting antMachers in Spring Security

Question

I'm developing a spring-boot application and its spring security configuration is as follows:

@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter  {
@Override
    protected void configure(HttpSecurity httpSecurity) throws Exception {
        httpSecurity
            .authorizeRequests()
            .antMatchers("/actuator/**", "/login*", "/logout*")
            .permitAll();

        httpSecurity
            .cors().and()
            .csrf().disable()
            .authorizeRequests()
            .antMatchers("/").permitAll()
            .antMatchers("/taas/v1/**").hasRole("admin")
            .antMatchers("/taas/v1/teams", "/taas/v1/profiles", "/taas/v1/tests/summary").hasRole("tester")
            .antMatchers( "/taas/v1/teams", "/taas/v1/tests/summary").hasRole("user")
            .anyRequest().authenticated()
            .and()
            .exceptionHandling().accessDeniedHandler(customAccessDeniedHandler)
            .and()
            .httpBasic()
            .and()
            .formLogin()
            .successHandler(customAuthenticationSuccessHandler)
            .failureHandler(customAuthenticationFailureHandler)
            .and()
            .logout()
                .logoutSuccessHandler(customLogoutSuccessHandler())
                .invalidateHttpSession(true)
                .deleteCookies("JSESSIONID");
    }
}

Even though i have set the url pattern for each roles. All users are able to access all endpoints as mentioned in antMatchers(). A user with role user is not supposed to access /taas/v1/profiles. But when I try to access that endpoint by logging in as user, I'm getting the response but expected response is 403 forbidden.

I request someone to provide a workaround for me.

Let us [continue this discussion in chat](https://chat.stackoverflow.com/rooms/209920/discussion-between-akhil-suseelan-and-shababb-karim). — Akhil Suseelan, Mar 19 '20 at 11:32

Akhil Suseelan · Accepted Answer · 2020-03-26T07:15:02.730

I got this issue resolved by doing some minor changes in my antMatchers(). Below is the modified code.

The main issue is that antMatcher() pattern must not contain the context path, see Spring security antMatcher does not work

@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter  {
    @Override
    protected void configure(HttpSecurity httpSecurity) throws Exception {

        httpSecurity
            .cors()
                .and()
            .authorizeRequests()
                .antMatchers("/admin/**").hasRole("ADMIN")
                .antMatchers("/profiles").hasAnyRole("TESTER")
                .antMatchers( "/teams", "/tests/summary").hasAnyRole("USER", "TESTER", "ADMIN")
                .anyRequest().authenticated()
                .and().csrf().disable()
            .exceptionHandling()
                .accessDeniedHandler(customAccessDeniedHandler)
                .and()
            .httpBasic()
                .and()
            .formLogin()
                .successHandler(customAuthenticationSuccessHandler)
                .failureHandler(customAuthenticationFailureHandler)
                .and()
            .sessionManagement()
                .invalidSessionUrl("/invalidSession.html")
                .maximumSessions(1).sessionRegistry(sessionRegistry()).and()
                .sessionFixation().none()
                .and()
            .logout()
                .logoutSuccessHandler(customLogoutSuccessHandler())
                .invalidateHttpSession(true)
                .deleteCookies("JSESSIONID");
    }
}

This won't work, as the `USER` won't be able to access the URLs. As when they match the only role allowed is `TESTER`. You should use`hasAnyRole("USER", "TESTER")` for the URLs that are accesible by both. — M. Deinum, Mar 26 '20 at 07:00

score -1 · Answer 2 · answered Mar 18 '20 at 16:39

-1

Please verify the code that you're sharing because as you've mentioned. A user with role user is not supposed to access /ptaas/v1/profiles. But when I try to access that endpoint by logging in as user.

Where your mapping says you've not configured access to user role as given.

.antMatchers( "/taas/v1/teams", "/taas/v1/tests/summary").hasRole("user")

As per your comments it should have been .antMatchers( "/taas/v1/teams", "/taas/v1/tests/summary", "/ptaas/v1/profiles").hasRole("user")

answered Mar 18 '20 at 16:39

Amit Mishra

498
5
16

therefore ` .antMatchers( "/taas/v1/teams", "/taas/v1/tests/summary").hasRole("user") ` is correct in my point of view. – Akhil Suseelan Mar 18 '20 at 16:46
Oh! Sorry I misunderstand, when the user does not have access to /profiles then it's obvious to get 403 forbidden because the user is not authorized to access the url endpoint – Amit Mishra Mar 18 '20 at 16:46
Exaclty. But I'm not getting 403. – Akhil Suseelan Mar 18 '20 at 16:47
Alright, Could you give me your code, I would like to test it on my IntelliJ – Amit Mishra Mar 18 '20 at 16:48
Oh sorry!. That's not possible at the moment. Do you think my antMatchers() are set properly? – Akhil Suseelan Mar 18 '20 at 16:54
They seems good to me. But I believe it might be because you have permit the access to all at context path / – Amit Mishra Mar 18 '20 at 16:58
Let us [continue this discussion in chat](https://chat.stackoverflow.com/rooms/209867/discussion-between-akhil-suseelan-and-mindflayera). – Akhil Suseelan Mar 18 '20 at 17:00

Users are able to access all endpoints after setting antMachers in Spring Security

2 Answers2