Describe the bug Hello, I want to allow ADMIN role to access path: /organizations, it is working fine in spirng-security version: 5.x, code as below:
@Component
@EnableWebSecurity
@Order(2)
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity httpSecurity) throws Exception {
httpSecurity.csrf().ignoringAntMatchers("/**");
httpSecurity.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
.authorizeRequests()
.antMatchers(BASE_URL + "/organizations").hasAnyAuthority(ADMIN)
.anyRequest().authenticated()
.and()
.exceptionHandling().accessDeniedPage(BASE_URL + "/access");
httpSecurity.addFilterBefore(getSproxAuthenticationRequestFilterBean(),UsernamePasswordAuthenticationFilter.class);
}
}
Now I am upgrading the spring-security to 6.2.4, code as below, but when the Admin user request path: /organizations, seems lost the authority, always forwards to path: /access, how to resolve it?
@Configuration
@Order(2)
public class SecurityConfig {
@Bean
public SecurityFilterChain filterChain(HttpSecurity httpSecurity) throws Exception {
httpSecurity.cors(Customizer.withDefaults());
httpSecurity.sessionManagement(sessionManagement -> sessionManagement.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
.authorizeHttpRequests(authorizeRequests ->
authorizeRequests
.requestMatchers(BASE_URL + "/organizations").hasAnyAuthority(ADMIN)
.anyRequest().authenticated())
.exceptionHandling(exceptionHandling -> exceptionHandling.accessDeniedPage(BASE_URL + "/access"))
.addFilterBefore(getSproxAuthenticationRequestFilterBean(), UsernamePasswordAuthenticationFilter.class);
return httpSecurity.build();
}
}
Comment From: tongshushan
Resolved.
in new spring-security:
.requestMatchers(BASE_URL + "/organizations").hasAnyAuthority(ADMIN)
shoud be changed to:
.requestMatchers(new AntPathRequestMatcher(BASE_URL + "/organizations")).hasAnyAuthority(ADMIN)