How to apply URL and role based authentication in Spring Boot?

Question

I am trying to apply URl and role based authentication in the following way

http
    .authorizeRequests()
        .antMatchers("/rest/**").hasRole("ADMIN")
        .and()
    .authorizeRequests()
        .antMatchers("/admin/**").hasRole("MANAGER")
        .and()
    .authorizeRequests()
        .antMatchers("/restApi/**").hasRole("USER")
        .anyRequest().authenticated()
        .and()
    .formLogin()
        .permitAll();

But after entering username and password, I am getting back default login screen provided by Spring Boot.

If I use permitAll() instead of hasRole(), then it works correctly.
Where am I wrong?

What's the point of `permitAll()` at the end? – amseager Mar 21 '21 at 17:50 — amseager, Mar 21 '21 at 17:50
Where do you apply the roles to your users? – Boris the Spider Mar 21 '21 at 21:49 — Boris the Spider, Mar 21 '21 at 21:49

score 1 · Accepted Answer · answered Mar 21 '21 at 21:43

dur answers a good way to use multiple rest endpoints here: https://stackoverflow.com/a/41527591/2566098

I tested this example with a fresh project and had to add "{noop}" in front of the password string to get it to work but it works great.

Basically we separate each endpoint into its own extension of WebSecurityConfigurerAdapter.

In this example it is:

http
    .antMatcher("/api/**")
    .authorizeRequests()
    .anyRequest().hasRole("ADMIN")
    .and().httpBasic();

While you have it reversed and use antmatchers plural and are missing anyRequest() (not sure if this makes a difference):

http
    .authorizeRequests()
    .antMatchers("/rest/**").hasRole("ADMIN")

How to apply URL and role based authentication in Spring Boot?

1 Answers1