How to Fix Role in Spring Security

Securing URL using User Roles and Spring Security

What if not repeat an endpoint for role

private String userAccess[] = new String[]{"/dashboard/**"};
    private String dataAccess[] = new String[]{"/data/**"};
    private String adminAccess[] = new String[]{"/admin/**"};

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.csrf().disable()
                .authorizeRequests()
                .antMatchers(publicResources).permitAll()
                .antMatchers(userAccess).hasAnyRole("USER", "DATA", "ADMIN").anyRequest().authenticated()
                .antMatchers(dataAccess).hasAnyRole("DATA", "ADMIN").anyRequest().authenticated()
                .antMatchers(adminAccess).hasRole("ADMIN").anyRequest().authenticated();
    }

Why the application does not see the Roles in Spring Security (Forbidden)

To fix this problem, add the following to the WebSecurityConfig class in the configure method at the very beginning:

http
.cors().disable()
.csrf().disable()

Spring Security for REST APIS not working for some roles

I have solved it if any body faces this issue in the future. I changed it to

@Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()
                .antMatchers("/repairs/**").hasAnyAuthority("ADMIN", "MECHANIC")
                .antMatchers("/users/**", "/sales-report/**").hasAnyAuthority("ADMIN", "MANAGER")
                .antMatchers("/bikes/**", "/transactions/**", "/customers/**", "/spareparts/**")
                .hasAnyAuthority("ADMIN", "SALESPERSON")
                .anyRequest().authenticated()
                .and()
                .formLogin().defaultSuccessUrl("/swagger-ui/")
                .and()
                .logout().permitAll()
                .and()
                .exceptionHandling().accessDeniedPage("/403")
        ;
    }

I changed the configure method, the problem was that .antMatchers("/api/**").hasAuthority("ADMIN") was restricting other roles to access anything that comes after /api/.

Spring Boot / Spring Security role based authorization not working properly

I think that's the most unobvious thing about Spring Security. Roles and authorities are the same things but roles should be prefixed with ROLE_. So, the correct usage is

@Override
public Collection<? extends GrantedAuthority> getAuthorities() {
    return Collections.singleton(new SimpleGrantedAuthority("ROLE_ADMIN"));
}

ForeignKey between User and UserRole with Spring Security

When deleting an entity with an @ElementCollection the delete is cascaded automatically. When doing this through SQL this (might) not be the case, depending on how cascade rules are applied in your database.

But with your setup that should happen automatically.

See also https://stackoverflow.com/a/7696147/2696260

Spring Security - Role check fails permanently

Thank you guys for your help!
Toerktumlare's answer brought me to the solution. I turned on Debug Logging as you suggested. CORS was not the problem, but reading the debug messages brought me on the right way.

The problem was minor though. I stored the roles in the database as "CREATOR" or "USER". Debug messages showed me that Spring was looking for "ROLE_CREATOR" or "ROLE_USER" and - because my roles weren't saved this way - didn't find them. Hence I got a 403 HTTP response.

Spring Security users aren't getting roles

InitialDataLoader.createRoleIfNotFound() creates Roles with privileges READ_PRIVILEGE and WRITE_PRIVILEGE

AccountService.getGrantedAuthorities() builds the SimpleGrantedAuthority objects based on the privileges and not for the Role ADMIN.

This prevents the Authorization to work as expected. Creating SimpleGrantedAuthority objects with the required role should fix the Authorization issue here.