Spring Security restricting access to certain roles at certain url levels

Question

I'm trying to understand Spring Security and I have a page that asks you to login at startup and then the user has a role. I'm trying to say that all roles can access the welcome page, but if you want to login to the admin page then you can only be either an EMPLOYEE or a USER.

Here is the configure method:

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        
        http.authorizeRequests().antMatchers("/*").hasAnyRole("EMPLOYEE", "USER","NONE1")
        
                .antMatchers("/courierapp/admin").hasAnyRole("EMPLOYEE","USER")
        
                .anyRequest().authenticated()

                .and().formLogin();     
    }

Why is it that /courierapp/admin is still able to be accessed if I have a role of "NONE1" for example?

As long as you have any of the other roles you are allowed access. — M. Deinum, Aug 31 '20 at 19:31
@M.Deinum I'm not following what you're saying. This user only has NONE1 and accesses admin even though it is not an employee or a user. Why is that possible? Am I doing the syntax wrong? — hippoman, Aug 31 '20 at 20:04
That wasn't clear from your question. Also if `/courierapp` is the name of the app (or the base) your URL should be `/admin` which would make the first `/*` match and you would need to reverse the order. — M. Deinum, Sep 01 '20 at 05:41

score 0 · Answer 1 · answered Aug 31 '20 at 21:06

If anyone else is having an issue with Spring Security using antMatchers, it is first one matches so in this case I had to do:

@Override
    protected void configure(HttpSecurity http) throws Exception {
        
        http.authorizeRequests()
                .antMatchers("/admin").hasAnyRole("EMPLOYEE","USER")
                .antMatchers("/").hasAnyRole("EMPLOYEE", "USER","NONE1")
                .anyRequest().authenticated()
                .and().formLogin(); 
    }

This makes it so only employees and users will be able to access /admin. Also, if there is a base path in your url and you don't know where it's coming from, that's just the root path.

In this case that wouldn't matter. However `/courierapp/admin` and `/admin` are quite different URLs to match. — M. Deinum, Sep 01 '20 at 05:34

Spring Security restricting access to certain roles at certain url levels

1 Answers1