Multiple antMatchers in Spring security

spring spring-mvc spring-security

I work on content management system, that has five antMatchers like the following:

http.authorizeRequests()
        .antMatchers("/", "/*.html").permitAll()
        .antMatchers("/user/**").hasRole("USER")
        .antMatchers("/admin/**").hasRole("ADMIN")
        .antMatchers("/admin/login").permitAll()
        .antMatchers("/user/login").permitAll()
        .anyRequest().authenticated()
        .and()
        .csrf().disable();

which suppose to mean that the visitors can see all site at root path (/*), and users can see only (/user), admin can see only (/admin), and there are two login pages one for users and another for admin.

The code seems to work fine, except the admin section - it doesn't work but return access denied exception.


Solution 1:

I believe that the problem is in the order of your rules:

.antMatchers("/admin/**").hasRole("ADMIN")
.antMatchers("/admin/login").permitAll()

The order of the rules matters and the more specific rules should go first. Now everything that starts with /admin will require authenticated user with ADMIN role, even the /admin/login path (because /admin/login is already matched by the /admin/** rule and therefore the second rule is ignored).

The rule for the login page should therefore go before the /admin/** rule. E.G.

.antMatchers("/admin/login").permitAll()
.antMatchers("/admin/**").hasRole("ADMIN")

Related

Make a link from Electron open in browser
Null safe date comparator for sorting in Java 8 Stream
Cannot change font size of text field in material ui
Executing a certain action for all elements in an Enumerable<T>
Qt jpg image display
Making buttons - <button> or <div>?
Programmatically clicking a GUI button in Java Swing
Move Amazon EC2 AMIs between regions via web-interface?
How to set a default editable string for raw_input?
How to get bundle ID?
adding extra axis ticks using matplotlib
How to check if android checkbox is checked within its onClick method (declared in XML)?