Spring Security / rolesAllowed / antMatchers

Question

I am using Spring Data REST and I have a find method in my repository:

public List<Contact> findByLastNameOrderByLastNameAsc(@Param("lastName") String lastName);

I am trying to add security to the method, but no luck. In my DB, I have 1 user with the role 'ROLE_USER'. When the service starts, the login form comes up and I am able to login with the credentials in the DB.

Here is my web security config:

@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {

    auth.jdbcAuthentication()
            .dataSource(dataSource)
            .usersByUsernameQuery("select username,identification,enabled from users where username = ?");


  }

@Override
protected void configure(HttpSecurity http) throws Exception {
    http
    .authorizeRequests()
    .antMatchers("/contacts/findByLastNameOrderByLastNameAsc").hasRole("ADMIN")
    .antMatchers("/contacts/**").fullyAuthenticated()
    .antMatchers("/contacts/**").hasRole("USER")
    .anyRequest().authenticated()

    .and()
     .formLogin();
}

When I try to invoke the service in my repository, I am not seeing any authentication error. Using my browser, the URL comes up fine, even though the user in the DB does not have the 'ADMIN' role.

I tried adding 'RolesAllowed' to the method in my repository, but no luck:

@RolesAllowed(value = { "ADMIN" })
public List<Contact> findByLastNameOrderByLastNameAsc(@Param("lastName") String lastName);

Am I going about adding security to the REST API provided by Spring Data correctly? Ideas on how to get this to work?

thanks

Answer 1

FWIW: I forgot to add the jsr250 support. So, I added this config:

@Configuration
@EnableGlobalMethodSecurity(jsr250Enabled = true)
public class MethodSecurityConfig {

}

Now the RolesAllowed annotation is working fine.