0

In the following class that extends WebSecurityConfigurerAdapter i've overwritten the configure(HttpSecurity) method.

@Configuration
@EnableGlobalMethodSecurity(securedEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter{

@Autowired
public void configureAuth(AuthenticationManagerBuilder auth) throws Exception {
    auth
            .inMemoryAuthentication()
            .withUser("fabio")
            .password("123")
            .roles("ADMIN")
        .and()
            .withUser("joe")
            .password("123")
            .roles("GUEST");

}

@Override
protected void configure(HttpSecurity http) throws Exception {
    http
            .authorizeRequests()
                .antMatchers("/post/list").permitAll()
                .antMatchers("/admin/**").hasRole("ADMIN")
                .anyRequest().authenticated()
            .and()
            .formLogin()
            .and()
            .logout();
}
}

With this i should be able to get to localhost:8080/post/list page without having to commit to a user login since it has the .permitAll() , but when i try to getting into it it always prompts the login page before, only after i enter the previous credentials i'm able to view it. How can i fix this ?

controller class

@RestController
@RequestMapping("/post")
public class HomeController {

    @Secured("ROLE_GUEST")
    @RequestMapping("/list")
    public String list(){
    return "list...";
    }

    @Secured("ROLE_USER")
    @RequestMapping("/drafts")
    public String drafts(){
        return "drafts...";
    }

    @Secured({"ROLE_ADMIN","ROLE_USER"})
    @RequestMapping("/add")
    public String add(){
        return "adding...";
    }

}
MrSir
  • 576
  • 2
  • 11
  • 29

1 Answers1

0

According to the @RequestMapping definition there is a conflict because it is secured by annotation @Secured("ROLE_GUEST") but also you need to access it with .permitAll() configuration.

Option 1: Just remove the @Secured("ROLE_GUEST") in order to let .permitAll() do the work.

Option 2: use @Secured("ROLE_ANONYMOUS") on the @RequestMapping("/list") instead of @Secured("ROLE_GUEST"). You can see the definition of ROLE_ANONYMOUS in the Spring Documentation

It will depends on the path value after /post/list. Please see the following examples of how to define antMatchers depending on the path value.

localhost:8080/post/list = .antMatchers( "/post/list").permitAll()

localhost:8080/post/list/stuff = .antMatchers( "/post/list/**").permitAll()

localhost:8080/post/list, localhost:8080/post/list1234

= .antMatchers( "/post/list**").permitAll()

For more information visit the AnthPathMatcher documentation and HttpSecurity

Daniel C.
  • 5,418
  • 3
  • 23
  • 26
  • that's this `localhost:8080/post/list` , isn't it supposed to work with my code ? – MrSir Aug 25 '17 at 09:27
  • yes it is, this is how it works, just make sure about something, how is declared the path on the `@RequestMapping` handler? could you provide it? and also visit this post https://stackoverflow.com/questions/29721098/enableglobalmethodsecurity-vs-enablewebsecurity#29721230 – Daniel C. Aug 25 '17 at 11:22