Spring Security Different access url for different role

Summary

http.authorizeRequests().antMatchers(HttpMethod.GET, "/rest/setup/tax").hasRole("USER"); http.authorizeRequests().antMatchers("/rest/setup/tax").hasRole("ADMIN");

i search to provide only the get for user role and everything for admin one, is it possible?

actually with that code, admin is not allowed.

Actual Behavior

user can log but not admin

Expected Behavior

both can access to /rest/setup/tax ressource (get)

Configuration

http.authorizeRequests().antMatchers(HttpMethod.GET, "/rest/setup/tax").hasRole("USER"); http.authorizeRequests().antMatchers("/rest/setup/tax").hasRole("ADMIN");

Version

i use spring boot 1.3.7 spring security 4.0.4

Comment From: eleftherias

The authorization rules are performed in order. Only the first authorization rule that matches will be invoked.

A GET request to "/rest/setup/tax" matches the rule .antMatchers(HttpMethod.GET, "/rest/setup/tax").hasRole("USER") therefore a user without role USER will not be allowed access.

If you wish to allow ADMIN users to access those requests, you can change your configuration to the following

http.authorizeRequests().antMatchers(HttpMethod.GET, "/rest/setup/tax").hasAnyRole("USER", "ADMIN"); 
http.authorizeRequests().antMatchers("/rest/setup/tax").hasRole("ADMIN");

For future reference, this feels like a question that is better suited to Stack Overflow. As mentioned in the guidelines for contributing, we prefer to use GitHub issues only for bugs and enhancements.