SpringSecurity configure() method Configuration issues










-1














I've developed a REST api's where methods are secured with SpringSecurity.



GITHUB LINK-> Project



It is working but not as expected



SpringSecurity.config

---------------------------



@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(securedEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter

 @Autowired
 private UserDetailsService userDetailService;

 @Override
 protected void configure(AuthenticationManagerBuilder auth) throws Exception 

 auth.userDetailsService(userDetailService).passwordEncoder(encode());


 


 @Override
 protected void configure(HttpSecurity http) throws Exception 


 http
 .csrf().disable();
 http

 .authorizeRequests()
 .antMatchers("/user/**")
 .authenticated()
 .anyRequest()
 .hasAnyRole("USER","ADMIN")
 .and()
 .authorizeRequests()
 .antMatchers("/admin/**")
 .authenticated()
 .anyRequest()
 .hasRole("ADMIN")
 .and()
 .formLogin()
 .permitAll();

 /*http
 .authorizeRequests()
 .antMatchers("/admin/**").hasRole("ADMIN")
 .antMatchers("/user/**").hasAnyRole("USER","ADMIN")
 .anyRequest()
 .authenticated()
 .and()
 .formLogin()
 .permitAll();*/

 

 @Bean
 public BCryptPasswordEncoder encode() 
 return new BCryptPasswordEncoder();




AdminController

----------------------



@RestController
@RequestMapping("/admin")
public class AdminController 

 @Autowired
 private UserRepo userRepo;
 @Autowired
 private BCryptPasswordEncoder encoder;

 @PostMapping("/add")
 @PreAuthorize("hasRole('ADMIN')")
 public String addUser(@RequestBody User user) 
 String encodedPwd= encoder.encode(user.getPassword());
 user.setPassword(encodedPwd);
 userRepo.save(user);
 return "user added sucessfully...";
 

 @GetMapping("/demo")
 @PreAuthorize("hasRole('ADMIN')")
 public String getDemo() 
 return "Hi";




CustomController

-------------------------



@RestController
@RequestMapping("/user")
public class CustomController 

 @GetMapping("/access")
 @PreAuthorize("hasAnyRole('USER','ADMIN')")
 public String showUser() 

 return "Url Security Provided";



CustomUserDetailService

-----------------------------



@Service
public class CustomUserDetailService implements UserDetailsService 

 @Autowired
 private UserRepo userRepo;

 @Override
 public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException 

 User user= userRepo.findByUsername(username);
 CustomUserDetails userDetails= null;

 if(user!= null) 
 userDetails= new CustomUserDetails();
 userDetails.setUser(user);
 else 
 throw new UsernameNotFoundException("User Not Found");
 
 return userDetails;




CustomUserDetail

-----------------



@Getter
@Setter
public class CustomUserDetails implements UserDetails 

 /**
 * 
 */
 private static final long serialVersionUID = 1L;
 private User user;


 @Override
 public Collection<? extends GrantedAuthority> getAuthorities() 

 /*return user.getRoles().stream()
 .map(role->new SimpleGrantedAuthority("ROLE_"+ role))
 .collect(Collectors.toList());*/
 return user.getRoles().stream().map(role -> new SimpleGrantedAuthority("ROLE_" + role))
 .collect(Collectors.toList());
 

 @Override
 public String getPassword() 
 // TODO Auto-generated method stub
 return user.getPassword();
 

 @Override
 public String getUsername() 
 // TODO Auto-generated method stub
 return user.getUsername();
 

 @Override
 public boolean isAccountNonExpired() 
 // TODO Auto-generated method stub
 return true;
 

 @Override
 public boolean isAccountNonLocked() 
 // TODO Auto-generated method stub
 return true;
 

 @Override
 public boolean isCredentialsNonExpired() 
 // TODO Auto-generated method stub
 return true;
 

 @Override
 public boolean isEnabled() 
 // TODO Auto-generated method stub
 return true;
 

 public CustomUserDetails() 
 super();
 // TODO Auto-generated constructor stub




User

----------



@Entity
@Getter
@Setter
@NoArgsConstructor
public class User 

 @Id
 @GenericGenerator(name="gen",strategy="increment")
 @GeneratedValue(generator="gen")
 private int user_id;
 private String username;
 private String password;
 private String email;
 @OneToMany(cascade= CascadeType.ALL, fetch= FetchType.EAGER)
 @JoinTable(name="user_roles",
 joinColumns= @JoinColumn(referencedColumnName= "user_id"), 
 inverseJoinColumns= @JoinColumn(referencedColumnName="role_id"))
 private Set<Roles> roles;




The problem is:
With the above setup I can access the URL which are for USER not for ADMIN


If i'm commenting 



http
 /*.authorizeRequests()
 .antMatchers("/user/**")
 .authenticated()
 .anyRequest()
 .hasRole("USER")
 .and()*/
 .authorizeRequests()
 .antMatchers("/admin/**")
 .authenticated()
 .anyRequest()
 .hasRole("ADMIN")
 .and()
 .formLogin()
 .permitAll();


Then I can access the URL which are for ADMIN but I'm missing authentication on URL which are for USER



Similarly If I'm commenting the admin/ then USER part can be accessed. It behaving like Ordering which ever url is in first it is recognizing that and the second one is simply giving 403 in browser not anything in console.



It is something like Order which is first that can be accessed



Is there anywhere I'm doing wrong.



If I do not comment @EnableGlobalSecurity, @PreAuthorize, I can't access any of the URL those are for ADMIN and USER simply 403, so I cant miss @EnableGlobalSecurity, @PreAuthorize as these are for Securing REST API Methods






spring spring-boot spring-security







share|improve this question























  • changing it to .antMatchers("/admin/**").hasAnyRole("ADMIN") .antMatchers("/user/**").hasAnyRole("USER") should help. you do not need to call authorizeRequests multiple times
    – greengreyblue
    Nov 11 at 17:45










  • I have tried it already in this case neither I can access the USER based URL nor ADMIN based URL
    – Stone
    Nov 11 at 17:46










  • Even if in console DB queries are getting fired but simply 403 in browser
    – Stone
    Nov 11 at 17:51










  • It's SPRING JPA so in userRepo i have one method which loads the user according to the given username
    – Stone
    Nov 12 at 8:03










  • While you say, sql queries are being executed it means the method is getting executed (and you can place debug pointer and debug the method for confirmation), however it is returning 403 means, at high level, something is failing with @Postauthorize but we do not see any method annotated with the same either @Preauthorize is commented as per your posted code and hence not concerning with @EnableGlobalMethodSecurity. can you share the logs?
    – greengreyblue
    Nov 12 at 8:23
















-1














I've developed a REST api's where methods are secured with SpringSecurity.



GITHUB LINK-> Project



It is working but not as expected



SpringSecurity.config

---------------------------



@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(securedEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter

 @Autowired
 private UserDetailsService userDetailService;

 @Override
 protected void configure(AuthenticationManagerBuilder auth) throws Exception 

 auth.userDetailsService(userDetailService).passwordEncoder(encode());


 


 @Override
 protected void configure(HttpSecurity http) throws Exception 


 http
 .csrf().disable();
 http

 .authorizeRequests()
 .antMatchers("/user/**")
 .authenticated()
 .anyRequest()
 .hasAnyRole("USER","ADMIN")
 .and()
 .authorizeRequests()
 .antMatchers("/admin/**")
 .authenticated()
 .anyRequest()
 .hasRole("ADMIN")
 .and()
 .formLogin()
 .permitAll();

 /*http
 .authorizeRequests()
 .antMatchers("/admin/**").hasRole("ADMIN")
 .antMatchers("/user/**").hasAnyRole("USER","ADMIN")
 .anyRequest()
 .authenticated()
 .and()
 .formLogin()
 .permitAll();*/

 

 @Bean
 public BCryptPasswordEncoder encode() 
 return new BCryptPasswordEncoder();




AdminController

----------------------



@RestController
@RequestMapping("/admin")
public class AdminController 

 @Autowired
 private UserRepo userRepo;
 @Autowired
 private BCryptPasswordEncoder encoder;

 @PostMapping("/add")
 @PreAuthorize("hasRole('ADMIN')")
 public String addUser(@RequestBody User user) 
 String encodedPwd= encoder.encode(user.getPassword());
 user.setPassword(encodedPwd);
 userRepo.save(user);
 return "user added sucessfully...";
 

 @GetMapping("/demo")
 @PreAuthorize("hasRole('ADMIN')")
 public String getDemo() 
 return "Hi";




CustomController

-------------------------



@RestController
@RequestMapping("/user")
public class CustomController 

 @GetMapping("/access")
 @PreAuthorize("hasAnyRole('USER','ADMIN')")
 public String showUser() 

 return "Url Security Provided";



CustomUserDetailService

-----------------------------



@Service
public class CustomUserDetailService implements UserDetailsService 

 @Autowired
 private UserRepo userRepo;

 @Override
 public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException 

 User user= userRepo.findByUsername(username);
 CustomUserDetails userDetails= null;

 if(user!= null) 
 userDetails= new CustomUserDetails();
 userDetails.setUser(user);
 else 
 throw new UsernameNotFoundException("User Not Found");
 
 return userDetails;




CustomUserDetail

-----------------



@Getter
@Setter
public class CustomUserDetails implements UserDetails 

 /**
 * 
 */
 private static final long serialVersionUID = 1L;
 private User user;


 @Override
 public Collection<? extends GrantedAuthority> getAuthorities() 

 /*return user.getRoles().stream()
 .map(role->new SimpleGrantedAuthority("ROLE_"+ role))
 .collect(Collectors.toList());*/
 return user.getRoles().stream().map(role -> new SimpleGrantedAuthority("ROLE_" + role))
 .collect(Collectors.toList());
 

 @Override
 public String getPassword() 
 // TODO Auto-generated method stub
 return user.getPassword();
 

 @Override
 public String getUsername() 
 // TODO Auto-generated method stub
 return user.getUsername();
 

 @Override
 public boolean isAccountNonExpired() 
 // TODO Auto-generated method stub
 return true;
 

 @Override
 public boolean isAccountNonLocked() 
 // TODO Auto-generated method stub
 return true;
 

 @Override
 public boolean isCredentialsNonExpired() 
 // TODO Auto-generated method stub
 return true;
 

 @Override
 public boolean isEnabled() 
 // TODO Auto-generated method stub
 return true;
 

 public CustomUserDetails() 
 super();
 // TODO Auto-generated constructor stub




User

----------



@Entity
@Getter
@Setter
@NoArgsConstructor
public class User 

 @Id
 @GenericGenerator(name="gen",strategy="increment")
 @GeneratedValue(generator="gen")
 private int user_id;
 private String username;
 private String password;
 private String email;
 @OneToMany(cascade= CascadeType.ALL, fetch= FetchType.EAGER)
 @JoinTable(name="user_roles",
 joinColumns= @JoinColumn(referencedColumnName= "user_id"), 
 inverseJoinColumns= @JoinColumn(referencedColumnName="role_id"))
 private Set<Roles> roles;




The problem is:
With the above setup I can access the URL which are for USER not for ADMIN


If i'm commenting 



http
 /*.authorizeRequests()
 .antMatchers("/user/**")
 .authenticated()
 .anyRequest()
 .hasRole("USER")
 .and()*/
 .authorizeRequests()
 .antMatchers("/admin/**")
 .authenticated()
 .anyRequest()
 .hasRole("ADMIN")
 .and()
 .formLogin()
 .permitAll();


Then I can access the URL which are for ADMIN but I'm missing authentication on URL which are for USER



Similarly If I'm commenting the admin/ then USER part can be accessed. It behaving like Ordering which ever url is in first it is recognizing that and the second one is simply giving 403 in browser not anything in console.



It is something like Order which is first that can be accessed



Is there anywhere I'm doing wrong.



If I do not comment @EnableGlobalSecurity, @PreAuthorize, I can't access any of the URL those are for ADMIN and USER simply 403, so I cant miss @EnableGlobalSecurity, @PreAuthorize as these are for Securing REST API Methods






spring spring-boot spring-security







share|improve this question























  • changing it to .antMatchers("/admin/**").hasAnyRole("ADMIN") .antMatchers("/user/**").hasAnyRole("USER") should help. you do not need to call authorizeRequests multiple times
    – greengreyblue
    Nov 11 at 17:45










  • I have tried it already in this case neither I can access the USER based URL nor ADMIN based URL
    – Stone
    Nov 11 at 17:46










  • Even if in console DB queries are getting fired but simply 403 in browser
    – Stone
    Nov 11 at 17:51










  • It's SPRING JPA so in userRepo i have one method which loads the user according to the given username
    – Stone
    Nov 12 at 8:03










  • While you say, sql queries are being executed it means the method is getting executed (and you can place debug pointer and debug the method for confirmation), however it is returning 403 means, at high level, something is failing with @Postauthorize but we do not see any method annotated with the same either @Preauthorize is commented as per your posted code and hence not concerning with @EnableGlobalMethodSecurity. can you share the logs?
    – greengreyblue
    Nov 12 at 8:23














-1












-1








-1







I've developed a REST api's where methods are secured with SpringSecurity.



GITHUB LINK-> Project



It is working but not as expected



SpringSecurity.config

---------------------------



@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(securedEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter

 @Autowired
 private UserDetailsService userDetailService;

 @Override
 protected void configure(AuthenticationManagerBuilder auth) throws Exception 

 auth.userDetailsService(userDetailService).passwordEncoder(encode());


 


 @Override
 protected void configure(HttpSecurity http) throws Exception 


 http
 .csrf().disable();
 http

 .authorizeRequests()
 .antMatchers("/user/**")
 .authenticated()
 .anyRequest()
 .hasAnyRole("USER","ADMIN")
 .and()
 .authorizeRequests()
 .antMatchers("/admin/**")
 .authenticated()
 .anyRequest()
 .hasRole("ADMIN")
 .and()
 .formLogin()
 .permitAll();

 /*http
 .authorizeRequests()
 .antMatchers("/admin/**").hasRole("ADMIN")
 .antMatchers("/user/**").hasAnyRole("USER","ADMIN")
 .anyRequest()
 .authenticated()
 .and()
 .formLogin()
 .permitAll();*/

 

 @Bean
 public BCryptPasswordEncoder encode() 
 return new BCryptPasswordEncoder();




AdminController

----------------------



@RestController
@RequestMapping("/admin")
public class AdminController 

 @Autowired
 private UserRepo userRepo;
 @Autowired
 private BCryptPasswordEncoder encoder;

 @PostMapping("/add")
 @PreAuthorize("hasRole('ADMIN')")
 public String addUser(@RequestBody User user) 
 String encodedPwd= encoder.encode(user.getPassword());
 user.setPassword(encodedPwd);
 userRepo.save(user);
 return "user added sucessfully...";
 

 @GetMapping("/demo")
 @PreAuthorize("hasRole('ADMIN')")
 public String getDemo() 
 return "Hi";




CustomController

-------------------------



@RestController
@RequestMapping("/user")
public class CustomController 

 @GetMapping("/access")
 @PreAuthorize("hasAnyRole('USER','ADMIN')")
 public String showUser() 

 return "Url Security Provided";



CustomUserDetailService

-----------------------------



@Service
public class CustomUserDetailService implements UserDetailsService 

 @Autowired
 private UserRepo userRepo;

 @Override
 public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException 

 User user= userRepo.findByUsername(username);
 CustomUserDetails userDetails= null;

 if(user!= null) 
 userDetails= new CustomUserDetails();
 userDetails.setUser(user);
 else 
 throw new UsernameNotFoundException("User Not Found");
 
 return userDetails;




CustomUserDetail

-----------------



@Getter
@Setter
public class CustomUserDetails implements UserDetails 

 /**
 * 
 */
 private static final long serialVersionUID = 1L;
 private User user;


 @Override
 public Collection<? extends GrantedAuthority> getAuthorities() 

 /*return user.getRoles().stream()
 .map(role->new SimpleGrantedAuthority("ROLE_"+ role))
 .collect(Collectors.toList());*/
 return user.getRoles().stream().map(role -> new SimpleGrantedAuthority("ROLE_" + role))
 .collect(Collectors.toList());
 

 @Override
 public String getPassword() 
 // TODO Auto-generated method stub
 return user.getPassword();
 

 @Override
 public String getUsername() 
 // TODO Auto-generated method stub
 return user.getUsername();
 

 @Override
 public boolean isAccountNonExpired() 
 // TODO Auto-generated method stub
 return true;
 

 @Override
 public boolean isAccountNonLocked() 
 // TODO Auto-generated method stub
 return true;
 

 @Override
 public boolean isCredentialsNonExpired() 
 // TODO Auto-generated method stub
 return true;
 

 @Override
 public boolean isEnabled() 
 // TODO Auto-generated method stub
 return true;
 

 public CustomUserDetails() 
 super();
 // TODO Auto-generated constructor stub




User

----------



@Entity
@Getter
@Setter
@NoArgsConstructor
public class User 

 @Id
 @GenericGenerator(name="gen",strategy="increment")
 @GeneratedValue(generator="gen")
 private int user_id;
 private String username;
 private String password;
 private String email;
 @OneToMany(cascade= CascadeType.ALL, fetch= FetchType.EAGER)
 @JoinTable(name="user_roles",
 joinColumns= @JoinColumn(referencedColumnName= "user_id"), 
 inverseJoinColumns= @JoinColumn(referencedColumnName="role_id"))
 private Set<Roles> roles;




The problem is:
With the above setup I can access the URL which are for USER not for ADMIN


If i'm commenting 



http
 /*.authorizeRequests()
 .antMatchers("/user/**")
 .authenticated()
 .anyRequest()
 .hasRole("USER")
 .and()*/
 .authorizeRequests()
 .antMatchers("/admin/**")
 .authenticated()
 .anyRequest()
 .hasRole("ADMIN")
 .and()
 .formLogin()
 .permitAll();


Then I can access the URL which are for ADMIN but I'm missing authentication on URL which are for USER



Similarly If I'm commenting the admin/ then USER part can be accessed. It behaving like Ordering which ever url is in first it is recognizing that and the second one is simply giving 403 in browser not anything in console.



It is something like Order which is first that can be accessed



Is there anywhere I'm doing wrong.



If I do not comment @EnableGlobalSecurity, @PreAuthorize, I can't access any of the URL those are for ADMIN and USER simply 403, so I cant miss @EnableGlobalSecurity, @PreAuthorize as these are for Securing REST API Methods






spring spring-boot spring-security







share|improve this question















I've developed a REST api's where methods are secured with SpringSecurity.



GITHUB LINK-> Project



It is working but not as expected



SpringSecurity.config

---------------------------



@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(securedEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter

 @Autowired
 private UserDetailsService userDetailService;

 @Override
 protected void configure(AuthenticationManagerBuilder auth) throws Exception 

 auth.userDetailsService(userDetailService).passwordEncoder(encode());


 


 @Override
 protected void configure(HttpSecurity http) throws Exception 


 http
 .csrf().disable();
 http

 .authorizeRequests()
 .antMatchers("/user/**")
 .authenticated()
 .anyRequest()
 .hasAnyRole("USER","ADMIN")
 .and()
 .authorizeRequests()
 .antMatchers("/admin/**")
 .authenticated()
 .anyRequest()
 .hasRole("ADMIN")
 .and()
 .formLogin()
 .permitAll();

 /*http
 .authorizeRequests()
 .antMatchers("/admin/**").hasRole("ADMIN")
 .antMatchers("/user/**").hasAnyRole("USER","ADMIN")
 .anyRequest()
 .authenticated()
 .and()
 .formLogin()
 .permitAll();*/

 

 @Bean
 public BCryptPasswordEncoder encode() 
 return new BCryptPasswordEncoder();




AdminController

----------------------



@RestController
@RequestMapping("/admin")
public class AdminController 

 @Autowired
 private UserRepo userRepo;
 @Autowired
 private BCryptPasswordEncoder encoder;

 @PostMapping("/add")
 @PreAuthorize("hasRole('ADMIN')")
 public String addUser(@RequestBody User user) 
 String encodedPwd= encoder.encode(user.getPassword());
 user.setPassword(encodedPwd);
 userRepo.save(user);
 return "user added sucessfully...";
 

 @GetMapping("/demo")
 @PreAuthorize("hasRole('ADMIN')")
 public String getDemo() 
 return "Hi";




CustomController

-------------------------



@RestController
@RequestMapping("/user")
public class CustomController 

 @GetMapping("/access")
 @PreAuthorize("hasAnyRole('USER','ADMIN')")
 public String showUser() 

 return "Url Security Provided";



CustomUserDetailService

-----------------------------



@Service
public class CustomUserDetailService implements UserDetailsService 

 @Autowired
 private UserRepo userRepo;

 @Override
 public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException 

 User user= userRepo.findByUsername(username);
 CustomUserDetails userDetails= null;

 if(user!= null) 
 userDetails= new CustomUserDetails();
 userDetails.setUser(user);
 else 
 throw new UsernameNotFoundException("User Not Found");
 
 return userDetails;




CustomUserDetail

-----------------



@Getter
@Setter
public class CustomUserDetails implements UserDetails 

 /**
 * 
 */
 private static final long serialVersionUID = 1L;
 private User user;


 @Override
 public Collection<? extends GrantedAuthority> getAuthorities() 

 /*return user.getRoles().stream()
 .map(role->new SimpleGrantedAuthority("ROLE_"+ role))
 .collect(Collectors.toList());*/
 return user.getRoles().stream().map(role -> new SimpleGrantedAuthority("ROLE_" + role))
 .collect(Collectors.toList());
 

 @Override
 public String getPassword() 
 // TODO Auto-generated method stub
 return user.getPassword();
 

 @Override
 public String getUsername() 
 // TODO Auto-generated method stub
 return user.getUsername();
 

 @Override
 public boolean isAccountNonExpired() 
 // TODO Auto-generated method stub
 return true;
 

 @Override
 public boolean isAccountNonLocked() 
 // TODO Auto-generated method stub
 return true;
 

 @Override
 public boolean isCredentialsNonExpired() 
 // TODO Auto-generated method stub
 return true;
 

 @Override
 public boolean isEnabled() 
 // TODO Auto-generated method stub
 return true;
 

 public CustomUserDetails() 
 super();
 // TODO Auto-generated constructor stub




User

----------



@Entity
@Getter
@Setter
@NoArgsConstructor
public class User 

 @Id
 @GenericGenerator(name="gen",strategy="increment")
 @GeneratedValue(generator="gen")
 private int user_id;
 private String username;
 private String password;
 private String email;
 @OneToMany(cascade= CascadeType.ALL, fetch= FetchType.EAGER)
 @JoinTable(name="user_roles",
 joinColumns= @JoinColumn(referencedColumnName= "user_id"), 
 inverseJoinColumns= @JoinColumn(referencedColumnName="role_id"))
 private Set<Roles> roles;




The problem is:
With the above setup I can access the URL which are for USER not for ADMIN


If i'm commenting 



http
 /*.authorizeRequests()
 .antMatchers("/user/**")
 .authenticated()
 .anyRequest()
 .hasRole("USER")
 .and()*/
 .authorizeRequests()
 .antMatchers("/admin/**")
 .authenticated()
 .anyRequest()
 .hasRole("ADMIN")
 .and()
 .formLogin()
 .permitAll();


Then I can access the URL which are for ADMIN but I'm missing authentication on URL which are for USER



Similarly If I'm commenting the admin/ then USER part can be accessed. It behaving like Ordering which ever url is in first it is recognizing that and the second one is simply giving 403 in browser not anything in console.



It is something like Order which is first that can be accessed



Is there anywhere I'm doing wrong.



If I do not comment @EnableGlobalSecurity, @PreAuthorize, I can't access any of the URL those are for ADMIN and USER simply 403, so I cant miss @EnableGlobalSecurity, @PreAuthorize as these are for Securing REST API Methods






spring spring-boot spring-security




spring spring-boot spring-security






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Nov 12 at 9:32

























asked Nov 11 at 17:23









Stone

188




188











  • changing it to .antMatchers("/admin/**").hasAnyRole("ADMIN") .antMatchers("/user/**").hasAnyRole("USER") should help. you do not need to call authorizeRequests multiple times
    – greengreyblue
    Nov 11 at 17:45










  • I have tried it already in this case neither I can access the USER based URL nor ADMIN based URL
    – Stone
    Nov 11 at 17:46










  • Even if in console DB queries are getting fired but simply 403 in browser
    – Stone
    Nov 11 at 17:51










  • It's SPRING JPA so in userRepo i have one method which loads the user according to the given username
    – Stone
    Nov 12 at 8:03










  • While you say, sql queries are being executed it means the method is getting executed (and you can place debug pointer and debug the method for confirmation), however it is returning 403 means, at high level, something is failing with @Postauthorize but we do not see any method annotated with the same either @Preauthorize is commented as per your posted code and hence not concerning with @EnableGlobalMethodSecurity. can you share the logs?
    – greengreyblue
    Nov 12 at 8:23

















  • changing it to .antMatchers("/admin/**").hasAnyRole("ADMIN") .antMatchers("/user/**").hasAnyRole("USER") should help. you do not need to call authorizeRequests multiple times
    – greengreyblue
    Nov 11 at 17:45










  • I have tried it already in this case neither I can access the USER based URL nor ADMIN based URL
    – Stone
    Nov 11 at 17:46










  • Even if in console DB queries are getting fired but simply 403 in browser
    – Stone
    Nov 11 at 17:51










  • It's SPRING JPA so in userRepo i have one method which loads the user according to the given username
    – Stone
    Nov 12 at 8:03










  • While you say, sql queries are being executed it means the method is getting executed (and you can place debug pointer and debug the method for confirmation), however it is returning 403 means, at high level, something is failing with @Postauthorize but we do not see any method annotated with the same either @Preauthorize is commented as per your posted code and hence not concerning with @EnableGlobalMethodSecurity. can you share the logs?
    – greengreyblue
    Nov 12 at 8:23
















changing it to .antMatchers("/admin/**").hasAnyRole("ADMIN") .antMatchers("/user/**").hasAnyRole("USER") should help. you do not need to call authorizeRequests multiple times
– greengreyblue
Nov 11 at 17:45




changing it to .antMatchers("/admin/**").hasAnyRole("ADMIN") .antMatchers("/user/**").hasAnyRole("USER") should help. you do not need to call authorizeRequests multiple times
– greengreyblue
Nov 11 at 17:45












I have tried it already in this case neither I can access the USER based URL nor ADMIN based URL
– Stone
Nov 11 at 17:46




I have tried it already in this case neither I can access the USER based URL nor ADMIN based URL
– Stone
Nov 11 at 17:46












Even if in console DB queries are getting fired but simply 403 in browser
– Stone
Nov 11 at 17:51




Even if in console DB queries are getting fired but simply 403 in browser
– Stone
Nov 11 at 17:51












It's SPRING JPA so in userRepo i have one method which loads the user according to the given username
– Stone
Nov 12 at 8:03




It's SPRING JPA so in userRepo i have one method which loads the user according to the given username
– Stone
Nov 12 at 8:03












While you say, sql queries are being executed it means the method is getting executed (and you can place debug pointer and debug the method for confirmation), however it is returning 403 means, at high level, something is failing with @Postauthorize but we do not see any method annotated with the same either @Preauthorize is commented as per your posted code and hence not concerning with @EnableGlobalMethodSecurity. can you share the logs?
– greengreyblue
Nov 12 at 8:23





While you say, sql queries are being executed it means the method is getting executed (and you can place debug pointer and debug the method for confirmation), however it is returning 403 means, at high level, something is failing with @Postauthorize but we do not see any method annotated with the same either @Preauthorize is commented as per your posted code and hence not concerning with @EnableGlobalMethodSecurity. can you share the logs?
– greengreyblue
Nov 12 at 8:23













1 Answer
1






active

oldest

votes


















0














Just add permission to all your pages for your admin role. This way you make sure that your admin can access any page he wants.



http
 /*.authorizeRequests()
 .antMatchers("/user/**")
 .authenticated()
 .anyRequest()
 .hasRole("USER")
 .and()*/
 .authorizeRequests()
 .antMatchers("/admin/**")
 .hasRole("ADMIN")
 .antMatchers("/user/**")
 .hasAnyRole("ADMIN", "USER")
 .and()
 .formLogin()
 .permitAll();





share|improve this answer






















  • I have already tried this type of approach not working
    – Stone
    Nov 12 at 8:02










Your Answer






StackExchange.ifUsing("editor", function ()
StackExchange.using("externalEditor", function ()
StackExchange.using("snippets", function ()
StackExchange.snippets.init();
);
);
, "code-snippets");

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "1"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);













draft saved

draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53251284%2fspringsecurity-configure-method-configuration-issues%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown

























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes









0














Just add permission to all your pages for your admin role. This way you make sure that your admin can access any page he wants.



http
 /*.authorizeRequests()
 .antMatchers("/user/**")
 .authenticated()
 .anyRequest()
 .hasRole("USER")
 .and()*/
 .authorizeRequests()
 .antMatchers("/admin/**")
 .hasRole("ADMIN")
 .antMatchers("/user/**")
 .hasAnyRole("ADMIN", "USER")
 .and()
 .formLogin()
 .permitAll();





share|improve this answer






















  • I have already tried this type of approach not working
    – Stone
    Nov 12 at 8:02















0














Just add permission to all your pages for your admin role. This way you make sure that your admin can access any page he wants.



http
 /*.authorizeRequests()
 .antMatchers("/user/**")
 .authenticated()
 .anyRequest()
 .hasRole("USER")
 .and()*/
 .authorizeRequests()
 .antMatchers("/admin/**")
 .hasRole("ADMIN")
 .antMatchers("/user/**")
 .hasAnyRole("ADMIN", "USER")
 .and()
 .formLogin()
 .permitAll();





share|improve this answer






















  • I have already tried this type of approach not working
    – Stone
    Nov 12 at 8:02













0












0








0






Just add permission to all your pages for your admin role. This way you make sure that your admin can access any page he wants.



http
 /*.authorizeRequests()
 .antMatchers("/user/**")
 .authenticated()
 .anyRequest()
 .hasRole("USER")
 .and()*/
 .authorizeRequests()
 .antMatchers("/admin/**")
 .hasRole("ADMIN")
 .antMatchers("/user/**")
 .hasAnyRole("ADMIN", "USER")
 .and()
 .formLogin()
 .permitAll();





share|improve this answer














Just add permission to all your pages for your admin role. This way you make sure that your admin can access any page he wants.



http
 /*.authorizeRequests()
 .antMatchers("/user/**")
 .authenticated()
 .anyRequest()
 .hasRole("USER")
 .and()*/
 .authorizeRequests()
 .antMatchers("/admin/**")
 .hasRole("ADMIN")
 .antMatchers("/user/**")
 .hasAnyRole("ADMIN", "USER")
 .and()
 .formLogin()
 .permitAll();






share|improve this answer














share|improve this answer



share|improve this answer








edited Nov 11 at 18:01

























answered Nov 11 at 17:53









Alain Cruz

1,7211818




1,7211818











  • I have already tried this type of approach not working
    – Stone
    Nov 12 at 8:02
















  • I have already tried this type of approach not working
    – Stone
    Nov 12 at 8:02















I have already tried this type of approach not working
– Stone
Nov 12 at 8:02




I have already tried this type of approach not working
– Stone
Nov 12 at 8:02

















draft saved

draft discarded
















































Thanks for contributing an answer to Stack Overflow!


  • Please be sure to answer the question. Provide details and share your research!

But avoid


  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.





Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


Please pay close attention to the following guidance:


  • Please be sure to answer the question. Provide details and share your research!

But avoid


  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53251284%2fspringsecurity-configure-method-configuration-issues%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







-

Popular posts from this blog

Kleinkühnau

Image
Kleinkühnau Stadt Dessau-Roßlau 51.839444444444 12.184444444444 57 Koordinaten: 51° 50′ 22″  N , 12° 11′ 4″  O Höhe: 57 m Fläche: 9,93 km² Einwohner: 1649  (31. Dez. 2011) Bevölkerungsdichte: 166 Einwohner/km² Eingemeindung: 1. Oktober 1923 Eingemeindet nach: Dessau Postleitzahl: 06846 Vorwahl: 0340 Rathaus (Amtshaus Kühnau e. V.) Ev. Kirche Kleinkühnau Kleinkühnau ist ein Stadtteil von Dessau-Roßlau, einer kreisfreien Stadt im Bundesland Sachsen-Anhalt. Er liegt ungefähr vier Kilometer westlich des Stadtzentrums. Südlich der Kühnauer Straße befinden sich der Flugplatz Dessau, das Technikmuseum Hugo Junkers sowie der Standort der Polizeidirektion Sachsen-Anhalt Ost. Kleinkühnau hat 1649 Einwohner (Stand 31. Dezember 2011). Inhaltsverzeichnis 1 Geschichte 1.1 Bevölkerungsentwicklung 2 Siehe auch 3 Weblinks 4 E...
Read more

Makov (Slowakei)

Image
Makov Wappen Karte Makov Basisdaten Staat: Slowakei Kraj: Žilinský kraj Okres: Čadca Region: Kysuce Fläche: 46,052 km² Einwohner: 1.720 (31. Dez. 2017) Bevölkerungsdichte: 37 Einwohner je km² Höhe: 583  m n.m. Postleitzahl: 023 56 Telefonvorwahl: 0 41 Geographische Lage: 49° 22′  N , 18° 29′  O 49.366666666667 18.483333333333 583 Koordinaten: 49° 22′ 0″  N , 18° 29′ 0″  O Kfz-Kennzeichen: CA Kód obce: 509299 Struktur Gemeindeart: Gemeinde Verwaltung (Stand: November 2014) Bürgermeister: Martin Pavlík Adresse: Obecný úrad Makov 60 02356 Makov Webpräsenz: www.makov.sk Statistikinformation auf statistics.sk Makov (ungarisch Trencsénmakó – älter auch Makó , polnisch Maków ) ist eine Gemeinde in der Nordwestslowakei. Inhaltsverzeichnis 1 Geographie 1.1 Bevölkerung 2 Ge...
Read more

Deutsches Schauspielhaus

Image
Deutsches Schauspielhaus Hamburg Aktie über 1000 Mark der Deutsche Schauspielhaus AG vom 20. Juni 1899 Das Deutsche Schauspielhaus im Hamburger Stadtteil St. Georg ist mit 1200 Plätzen das größte Sprechtheater Deutschlands. Entstanden ist es durch eine private Initiative von Bürgern und der 1899 gegründeten „Aktiengesellschaft Deutsches Schauspielhaus“. Die Pläne stammen von dem Wiener Architekturbüro Fellner und Helmer, die das neobarocke Gebäude nach dem Vorbild des Wiener Volkstheaters gestalteten. Am 15. September 1900 wurde das Theater mit einer Aufführung der Iphigenie auf Tauris feierlich eröffnet. Der Name Deutsches Schauspielhaus knüpft an die Tradition des Hamburger Nationaltheaters an, das Mitte des 18. Jahrhunderts durch Hamburger Bürger betrieben wurde und an dem Gotthold Ephraim Lessing als Dramaturg tätig war. Das Schauspielhaus hat die Theatergeschichte der Stadt im 20. Jahrhundert entsc...
Read more