I want to prohibit going to pages / admin / ** except for users with ADMIN roles, and / user / ** only for USER. I read a bunch of manuals but did not understand what should be added:

@Configuration @EnableWebSecurity @EnableGlobalMethodSecurity(securedEnabled = true) public class SecurityConfig extends WebSecurityConfigurerAdapter { @Autowired private UserDetailsServiceImpl userDetailsService; @Autowired public void registerGlobalAuthentication(AuthenticationManagerBuilder auth) throws Exception { auth .userDetailsService(userDetailsService) .passwordEncoder(getShaPasswordEncoder()); } @Override protected void configure(HttpSecurity http) throws Exception { http.csrf() .disable() .authorizeRequests() .antMatchers("/resources/**", "/**").permitAll() .anyRequest().permitAll() .and(); http.formLogin() .loginPage("/login") .loginProcessingUrl("/j_spring_security_check") .failureUrl("/login?error") .usernameParameter("j_username") .passwordParameter("j_password") .permitAll(); http.logout() .permitAll() .logoutUrl("/logout") .logoutSuccessUrl("/login?logout") .invalidateHttpSession(true); }

    1 answer 1

    Well, for example, try this:

     .antMatchers("/user/**").access("hasRole('ROLE_USER')") .antMatchers("/admin/**").access("hasRole('ROLE_ADMIN')")

    And I advise you to read something, even if this: https://habrahabr.ru/post/226791/ (or better, of course, documentation on Spring Security).

    • This is what http? If you do not mind writing where you need to register it - amigojoe
    • Does not work. Anyway, I can go under any - amigojoe
    • Understood. thanks - amigojoe