S
S
SankaSanka2021-01-07 19:28:59
Java
SankaSanka, 2021-01-07 19:28:59

How to configure WebSecurityConfig correctly?

Entrance to the application is free. I want to make sure that the entrance to the admin pages /adminPageProduct /adminPageUser, etc., was only with the ADMIN role.

But he doesn’t let me through to the admin pages and throws me on the login ban page. With any role. Roles are defined and passed normally to the page. Please help, what is my mistake?

.csrf().disable()            
        .authorizeRequests()
                    .antMatchers("/","/security/registration").permitAll()
                    .antMatchers("/admin*").hasRole(Role.ADMIN.toString())   
                    .anyRequest()
                    .authenticated()
                .and()
                    .formLogin()
                    .loginPage("/security/login")
                    .defaultSuccessUrl("/")
                    .permitAll()
                .and()
                    .logout()
                    .logoutUrl("/security/logout")
                    .invalidateHttpSession(true)
                    .clearAuthentication(true)
                    .deleteCookies("JSESSIONID")
                    .permitAll()
        .and()
        .exceptionHandling().accessDeniedPage("/errors/accessDenied");


And if it's not here, where can I find it?

Answer the question

In order to leave comments, you need to log in

2 answer(s)
O
Orkhan, 2021-01-07
Hasanly @azerphoenix

Greetings!
one)

I want to make the entrance to the admin page /adminPageProduct /adminPageUser

it's probably better to make a common prefix for the admin panel, something like /admin/**, and restrict access at this level than to list each link in the configuration settings. And the url should have the following structure: /admin/products /admin/users. In any case, you need to close access to the entire admin panel
. It seems to me that you may have a problem here:
.antMatchers("/admin*")
I don’t see other obvious problems if everything else is configured correctly

S
SankaSanka, 2021-01-10
@SankaSanka

.antMatchers("/admin/**").hasRole(Role.ADMIN.toString())
thanks, but didn't help. Now it skips to these pages with any role, as long as it is authorized (
and if I remove this line and write
@PreAuthorize("hasRole('ADMIN')") at the controller level,
then it doesn’t skip with any role at all. The problem is precisely in understanding the Role And it's not clear where to fix it(
There are 2 users in the database, one with the ADMIN role, the second with USER
, here is my git - https://gitlab.com/KirillSv/ShopSpring/-/tree/mast...
I will be grateful for any ideas

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question