I am trying to convert a Spring Security 3 @Secured("admin") annotation into Spring Security 4 compatible fashion.
This is my usersService.java
@PreAuthorize("hasAuthority('admin')")
public List<User> getAllUsers() {
return usersDao.getAllUsers();
}
Then in security-context.xml I have:
<security:intercept-url pattern="/admin" access="permitAll" />
...
<security:global-method-security pre-post-annotations="enabled" />
getAllUsers() is called by a LoginController.java
@RequestMapping("/admin")
public String showAdmin(Model model) {
List<User> users = usersService.getAllUsers();
model.addAttribute("users", users);
return "admin";
}
In mySql database, there are two tables, users and authorities. authorities has 2 columns, username and authority. administrator has authority admin.
Now if I trie to access /admin, I will be redirected to /login, but after I log in with administrator, I still get "access denied".
I think I must have missed something very basic but as I am new to Spring, I could not figure it out. Any help would be appreciated. Thanks.
Update: I tried changing the annotation to @PreAuthorize("hasRole('ROLE_ADMIN')") and I also changed the "authority" column in mySql for admin from "admin" to "ROLE_ADMIN" but it still gives me 403. I did not have much faith on this because before this error, I had to change hasRole('admin') in securityContext.xml to hasAuthority('admin').
