Securing URL using User Roles and Spring Security
What if not repeat an endpoint for role
private String userAccess[] = new String[]{"/dashboard/**"};
private String dataAccess[] = new String[]{"/data/**"};
private String adminAccess[] = new String[]{"/admin/**"};
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable()
.authorizeRequests()
.antMatchers(publicResources).permitAll()
.antMatchers(userAccess).hasAnyRole("USER", "DATA", "ADMIN").anyRequest().authenticated()
.antMatchers(dataAccess).hasAnyRole("DATA", "ADMIN").anyRequest().authenticated()
.antMatchers(adminAccess).hasRole("ADMIN").anyRequest().authenticated();
}
Why the application does not see the Roles in Spring Security (Forbidden)
To fix this problem, add the following to the WebSecurityConfig
class in the configure
method at the very beginning:
http
.cors().disable()
.csrf().disable()
Spring Security for REST APIS not working for some roles
I have solved it if any body faces this issue in the future. I changed it to
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/repairs/**").hasAnyAuthority("ADMIN", "MECHANIC")
.antMatchers("/users/**", "/sales-report/**").hasAnyAuthority("ADMIN", "MANAGER")
.antMatchers("/bikes/**", "/transactions/**", "/customers/**", "/spareparts/**")
.hasAnyAuthority("ADMIN", "SALESPERSON")
.anyRequest().authenticated()
.and()
.formLogin().defaultSuccessUrl("/swagger-ui/")
.and()
.logout().permitAll()
.and()
.exceptionHandling().accessDeniedPage("/403")
;
}
I changed the configure method, the problem was that .antMatchers("/api/**").hasAuthority("ADMIN") was restricting other roles to access anything that comes after /api/.
Spring Boot / Spring Security role based authorization not working properly
I think that's the most unobvious thing about Spring Security. Roles and authorities are the same things but roles should be prefixed with ROLE_
. So, the correct usage is
@Override
public Collection<? extends GrantedAuthority> getAuthorities() {
return Collections.singleton(new SimpleGrantedAuthority("ROLE_ADMIN"));
}
ForeignKey between User and UserRole with Spring Security
When deleting an entity with an @ElementCollection
the delete is cascaded automatically. When doing this through SQL this (might) not be the case, depending on how cascade rules are applied in your database.
But with your setup that should happen automatically.
See also https://stackoverflow.com/a/7696147/2696260
Spring Security - Role check fails permanently
Thank you guys for your help!
Toerktumlare's answer brought me to the solution. I turned on Debug Logging as you suggested. CORS was not the problem, but reading the debug messages brought me on the right way.
The problem was minor though. I stored the roles in the database as "CREATOR" or "USER". Debug messages showed me that Spring was looking for "ROLE_CREATOR" or "ROLE_USER" and - because my roles weren't saved this way - didn't find them. Hence I got a 403 HTTP response.
Spring Security users aren't getting roles
InitialDataLoader.createRoleIfNotFound()
creates Roles with privileges READ_PRIVILEGE
and WRITE_PRIVILEGE
AccountService.getGrantedAuthorities()
builds the SimpleGrantedAuthority
objects based on the privileges and not for the Role ADMIN.
This prevents the Authorization to work as expected. Creating SimpleGrantedAuthority
objects with the required role should fix the Authorization issue here.
Related Topics
How Is the Java Memory Pool Divided
How to Query Xml Using Namespaces in Java with Xpath
When Is the @JSONproperty Property Used and What Is It Used For
Effective Gif/Image Color Quantization
Getting Random Numbers in Java
Why Does the Behavior of the Integer Constant Pool Change at 127
Make Maven to Copy Dependencies into Target/Lib
How to Create an .Exe for a Java Program
How to Get the Subscription Information from Google Play Android Developer API
Converting Between Java.Time.Localdatetime and Java.Util.Date
Using "Like" Wildcard in Prepared Statement
Combining Raw Types and Generic Methods
Why Java Classes Do Not Inherit Annotations from Implemented Interfaces
How to Pass a Parameter to a Java Thread
How to Find Difference Between Two Joda-Time Datetimes in Minutes