spring boot basic http authentication with multiple roles throws 403 forbidden error -


i trying configure spring boot-embedded tomcat basic http authentication multiple roles, of url's similar few of them specific each role. here first role basic http authentication pops , working fine. below code,

    @configuration     @enablewebmvcsecurity     @enableglobalmethodsecurity(prepostenabled = true)  public class testsecurityadapter extends websecurityconfigureradapter {      @override     protected void configure(httpsecurity http) throws exception {         http.csrf().disable()                 .authorizerequests().antmatchers(null, getappadminrolepaths()).authenticated()                 .anyrequest().hasanyrole("appadmin")                 .and()                 .httpbasic();          http.csrf().disable()                 .authorizerequests().antmatchers(null, getappuserrolepaths()).authenticated()                 .anyrequest().hasanyrole("appuser")                 .and()                 .httpbasic();          http.authorizerequests().antmatchers(null, new string[]{"/app/appownerview.html"}).authenticated()                 .anyrequest().hasanyrole("appowner")                 .and()                 .httpbasic();     }      @override     @autowired     protected void configure(authenticationmanagerbuilder auth) throws exception {         auth.inmemoryauthentication().withuser("appadminname").password("appadminpwd").roles("appadmin").and()         .withuser("appusername").password("appuserpwd").roles("appuser").and()         .withuser("appownername").password("appoownerpwd").roles("appowner");     }      private static string[] getappadminrolepaths(){         return new string[]{"/appweb/*",                 "/app/checkservice.html",                                "/app/index.html",                                 "/app/testdata.html",                     "/app/adminview.html",                  "/app/demo.html"};     }      private static string[] getappuserrolepaths(){         return new string[]{"/appweb/*",                 "/app/checkservice.html",                                "/app/index.html",                                 "/app/testdata.html",                     "/app/userview.html",                  "/app/demo.html"};     } } 

for http username/password popup in browser url http://localhost:8080/app/index.html appadminname/appadminpwd works fine. same url if enter appusername/appuserpwd throws http 403 forbidden access error. here why second role appuser configured throwing error not sure. please let know if way resolved.

thanks

i appreciate question little old now, may still useful someone.

firstly, i'm not sure why calls antmatchers() supply null first argument; antmatchers() expects list of strings defining urls covered rule, i'm not sure null expected match in case.

secondly, anyrequest() means rule applied request made application regardless of url used, , spring apply security rules in order defined. typically define urls , associated roles first, , default rule other request must authenticated (but not need specific roles) anyrequest().authenticated()

your first rule says any request made application must made users role appadmin, denies access when try log in appusername, second rule allow appusers not processed.

thirdly, making multiple calls http.authorizerequests() when should chaining them together, example:

http.csrf().disable().authorizerequests()     .antmatchers( getappadminrolepaths() ).hasrole("appadmin")     .antmatchers( getappuserrolepaths() ).hasrole("appuser")     .anyrequest().authenticated(); 


lastly, when have single role check against, can use hasrole() instead of hasanyrole().

you don't need supply authenticated() , hasrole() in same rule because hasrole() implies user authenticated.

you can find more explanations , examples in spring documentation: http://docs.spring.io/spring-security/site/docs/4.0.3.release/reference/htmlsingle/#authorize-requests


Comments

Popular posts from this blog

twig - Using Twigbridge in a Laravel 5.1 Package -

jdbc - Not able to establish database connection in eclipse -

firemonkey - How do I make a beep sound in Android using Delphi and the API? -