'Spring Security does not seem to restrict user who has the different role
I am trying to develop a web site where I could have a number of different roles by users.(Not restricted to only 1-5 static roles, but could be customized too)
I have set my SecurityConfig.java as ff:
@Override
protected void configure(HttpSecurity http) throws Exception {
this.setInitialUrlRoles(http);
this.setInitAuthenticationUrls(http);
http
.addFilterBefore(modifiedAuthFilter, FilterSecurityInterceptor.class)
.authorizeRequests(
request -> request.anyRequest().permitAll()
)
.formLogin(login -> login
.loginPage("/sign-in")
.loginProcessingUrl("/sign-in")
.permitAll()
.defaultSuccessUrl("/", false)
.failureUrl("/sign-in-error"))
.logout(logout -> logout
.logoutUrl("/sign-out")
.logoutSuccessUrl("/sign-in"))
.exceptionHandling(exception -> exception
.accessDeniedPage("/403-forbidden"))
.sessionManagement()
.maximumSessions(1)
.sessionRegistry(sessionRegistry());
}
private void setInitAuthenticationUrls(HttpSecurity http) {
InitializeUrl initializeUrl = new InitializeUrl();
for (String url : initializeUrl.getAuthenticatedOnlyUrls()) {
try {
http.authorizeRequests()
.antMatchers(url).authenticated();
} catch (Exception e) {
e.printStackTrace();
}
}
}
private void setInitialUrlRoles(HttpSecurity http) throws JSONException, Exception {
for (SecuredRole role : accountMapper.readAllRoles()) {
System.out.println(role.toString());
try {
http.authorizeRequests()
.antMatchers(role.getAccessible_url())
.hasAnyAuthority(role.getRole_name());
} catch (Exception e) {
e.printStackTrace();
}
}
}
private void setInitialUrlRoles(HttpSecurity http) throws JSONException, Exception {
for (SecuredRole role : accountMapper.readAllRoles()) {
System.out.println(role.toString());
try {
http.authorizeRequests()
.antMatchers(role.getAccessible_url())
.hasAnyAuthority(role.getRole_name());
} catch (Exception e) {
e.printStackTrace();
}
}
this.setInitialUrlRoles(http); -> for every role and url mapping this.setInitAuthenticationUrls(http); -> for all of the url that is to be .authenticated() (only for logged in user)
And when I log in to the user and go to a particular page if the page is blocked to the user. Page Restriction Role -> TEST User Role -> testtest
But it allows the user to enter the page instead of the page directed to 403 page.
Could anyone advise me for this problem?
what could the reason for this problem not properly restricting the user from entering the page...
If I have lack of information in order to ask, pls tell me so that I could update more details perhaps.
Truly appreciate for your guidance and advise in advance.
Have a great day.
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|