Why is the request filter not working in Spring Security?

J

Jake Taylor2021-12-03 09:54:45

Spring

Jake Taylor, 2021-12-03 09:54:45

ADMINISTRATORWhy do I get 403 Forbidden when a user with permissions tries to make any request , even though it says that the administrator can make any requests ( .anyRequest().hasRole(ADMINISTRATOR.name()))?

There is a query filter like this:

@Override
    protected void configure(HttpSecurity http) throws Exception {
        http.csrf().disable()
                .authorizeRequests()
                .antMatchers(HttpMethod.GET, GIFT_CERTIFICATES + "/**").permitAll() // GUEST - Read operations for main entity
                .antMatchers(AUTHENTICATION + "/**").permitAll()                   // For GUESTs
                .antMatchers(AUTHENTICATION + "/**").anonymous()                    // Access to authorized users is not allowed.
                .antMatchers(HttpMethod.POST, ORDERS).hasRole(USER.name())                      // USER - Make an order on main entity
                .antMatchers(HttpMethod.GET).hasRole(USER.name())                               // USER - All read operations
                .anyRequest().hasRole(ADMINISTRATOR.name())                                     // ADMINISTRATOR - All operations, including addition and modification of entities
                .and()
                .sessionManagement()
                .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
                .and()
                .addFilterBefore(jwtFilter, UsernamePasswordAuthenticationFilter.class)
                .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
    }

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

O

Orkhan Hasanli, 2021-12-07
@n199a

Good afternoon.
What does it return ADMINISTRATOR.name()?
Don't forget the prefix: ROLE_in the role name.