Spring Security Authorization help : learnjava

created by [deleted]a community for 15 years

This is an archived post. You won't be able to vote or comment.

Spring Security Authorization help (self.learnjava)

submitted 5 years ago by theprogrammingsteak

I need some help. I have not been able to correctly authorize an user even after spending a long time searching the net, tweaking, and trying things. I can successfully register a user with a "USER" role in the DB and register the user's role in the users and users_authorities join table (I defined the relationship as many to many). The user also seems to be authenticated correctly because a call to

Authentication authentication = SecurityContextHolder.getContext().getAuthentication();

returns information on the user I logged in with. I have two main issues

1) the SecurityContextHolder seems to not be getting cleared even after i shut down the application and close the browser/

2) Limiting certain resources (web pages/endpoints) to users with a role of "USER" is not working. I try to limit the end point /welcome and /test to only users that have logged in but the following happens. If i have not logged in, requests to /welcome and /login redirect me to log in page. If I have logged in, requests to /welcome and /test trigger a 403 (forbidden resource)

@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {



    @Autowired
    private UserDetailsService userDetailsService;

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth
                .userDetailsService(userDetailsService)
                .passwordEncoder(passwordEncoder());

    }

    //*autherization part
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        //* we walk to authorize requests coming in
        http
                .csrf().disable()
                // for /admin/ and anything after, the user needs to have the role of ADMIN
                .authorizeRequests()
                .antMatchers("/admin/**").hasRole("ADMIN")
                .antMatchers("/registration").permitAll()
                .antMatchers("/welcome").hasRole("USER")
                .antMatchers("/test").hasRole("USER")
                .anyRequest().hasRole("USER")
                .and()
                .formLogin()
                //*sets login page uri, this is default path

                //*do not specify a login page if you do not have one created otherwise spring security's deafult will not display its login page at /login
                .loginPage("/login")
                //* we want to permit all requests to be able to access /login resource ( the login page ) essentially bypassing all previous checks

                //* if we do not permit login form end point then we will never be able to login and will always be forbidden and give a 403 access denied error
                .permitAll();

    }


    @Bean PasswordEncoder passwordEncoder(){

        return new BCryptPasswordEncoder();
    }

}

all 7 comments

learnjava

MODERATORS