0

I've two URLs in my application:

  • /sa/abc (which should be accessible to role - ABC)
  • /sa/practice (which should be accessible to role - ADMIN)

For this I've configured:

http
    .sessionManagement()
        .sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
    .authorizeRequests()
        .antMatchers("/sa/**").authenticated()
        .antMatchers("/sa/abc/**").hasAnyAuthority("ABC")
        .antMatchers("/sa/practices/**").hasAnyAuthority("ADMIN")

I was expecting user with role ABC will not be able to access /sa/practices/link1, but he is able to.

Also I want to know what will happen to the links which are not mentioned in antMatchers. My guess is they can be accessed without any issue regardless of the role.

Am I correct?

dur
  • 15,689
  • 25
  • 79
  • 125
sonic boom
  • 764
  • 4
  • 11
  • 26

1 Answers1

0

Order matters. The first ant pattern that matches decides the access. So in your case:

http
    .sessionManagement()
        .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
        .and()
    .authorizeRequests()
        .antMatchers("/sa/abc/**").hasAnyAuthority("ABC")
        .antMatchers("/sa/practices/**").hasAnyAuthority("ADMIN")
        .antMatchers("/sa/**").authenticated()

Note that the least specific path is last.

holmis83
  • 15,922
  • 5
  • 82
  • 83