Spring boot, hasAnyAuthority is not working correctly

Asked Apr 25 '20 at 15:29

Active Apr 25 '20 at 15:29

Viewed 2,548 times

In my configure(HttpSecurity) I have :

.antMatchers("/api/account/reset-password/finish").hasAnyAuthority(AuthoritiesConstants.BANK, AuthoritiesConstants.USER)

And in this particular endpoint :

public void finishPasswordReset(@RequestBody KeyAndPasswordVM keyAndPassword)

I put above :

@PreAuthorize("hasAnyAuthority(\""+AuthoritiesConstants.BANK+"\", \""+AuthoritiesConstants.USER+"\")")

But when I test it with and admin user with a role "ROLE_ADMIN" (who's not authorized) using postman, there's not a 403 and the request passed normally.

Information: AuthoritiesConstants.USER = "ROLE_USER"; AuthoritiesConstants.BANK = "ROLE_BANK"; AuthoritiesConstants.ADMIN = "ROLE_ADMIN";

asked Apr 25 '20 at 15:29

El Khawarizmi

Did you [enable](https://docs.spring.io/spring-security/site/docs/current/reference/html5/#enableglobalmethodsecurity) global method security ? `@EnableGlobalMethodSecurity(prePostEnabled = true)` – R.G Apr 26 '20 at 06:33
Hello, Yes it's Enabled, It's was finally a problem with session I think, when I change data in H2, for example role of particular user from simple user to Admin, it's not taken into consideration, spring get data from session cache and ignored H2 data – El Khawarizmi Apr 26 '20 at 22:28

Spring boot, hasAnyAuthority is not working correctly

0 Answers0