Spring 5 Authorization not working as expected

Question

I am new to Spring Security. We are using Spring Security 5.4.5 with Spring Boot in one of my sample examples.

I have below config class in which am trying to apply the Spring Security authentication/authorization in /user and /admin endpoints of the REST API.

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    PasswordEncoder bcryptPasswordEncoder;

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .csrf().disable()
            .anonymous().principal("guest").authorities("GUEST_ROLE")//Provide the name and role to the annonymous user
            .and()
            .authorizeRequests()
            .antMatchers("/register").anonymous()//allows registration page to be accessed by annonymous users only
            .and()
            .authorizeRequests()
            .antMatchers(HttpMethod.GET,"/admin").hasAnyRole("ADMIN_ROLE")
            .antMatchers(HttpMethod.GET,"/user").hasAnyRole("STUDENT_ROLE", "ADMIN_ROLE")
            .and()
            .httpBasic();


    }

    @Override
    @Bean
    protected UserDetailsService userDetailsService() {
        UserDetails annaSmithUserDetails = User.builder()
                .username("annasmith")
                .password(bcryptPasswordEncoder.encode("password"))//default password enoder is bcrypt
                .roles("STUDENT_ROLE", "ADMIN_ROLE") //role of the user
                .authorities("STUDENT_READ","STUDENT_WRITE","COURSE_READ","COURSE_WRITE") //authorities or we can say permission assigned to the user
                .build();
        return new InMemoryUserDetailsManager(annaSmithUserDetails);//can configure different
    }

}

As per the above Spring configuration /user will be accessible to both the USER and ADMIN role and /admin will be accessible to the ADMIN role.

When am trying to access /user in the browser it displays the username and password popup and once I enter the correct credentials of the configured user it is not working and gives the 403 error.

I have below three questions

1. Am not seeing any error in the console log and is there a way I can see why Spring Security is showing the 403 error?
2. What is the issue with the above Spring Security configuration as I am not able to access the REST API endpoints?

Answer 1

1. Am not seeing any error in the console log and is there a way I can see why spring security is showing the 403 error?

By enabling spring debug logs, how to do this can be done with a simple google search or found in the spring documentation. Learn to debug your application (debugging your application should always be the first thing you learn and should be done before asking on stack overflow).

What is the issue with the above spring security configuration as I am not able to access the REST API endpoints?

Could be several issues since you have not disclosed how you are accessing the application. By curl, web browser, another webclient using fetch in a react application etc. etc. Should also be included when you ask on stack overflow so that people can be able to reproduce the issue at hand.

But listing some of the things that can be wrong:

• Your request is done improperly
• Your password might not be correct, because i see you are encrypting your password incorrectly (see the documentation of how to actually do it)
• ensure your password is stored with the correct prefix, or use UserBuilder users = User.withDefaultPasswordEncoder(); when building your user as in the docs.
• Roles should be defined without prefixes or suffixes (_ROLE) if to follow any standard
• after you are logged in are you redirected to something you are not allowed to access?

As you can see there are several things that can be wrong, but you have provided too little information to be able to answer, and there is a lot of things you can do before asking on stack overflow.

The answer is vague since the question is vague.