Faced the following problem. I want to implement the display of all pages for non-authorized users except the accaunt page. It does not work, please tell me. Displays all pages, and there is no lock on the accaunt page.

@Configuration @EnableWebSecurity public class ConfigSecurity extends WebSecurityConfigurerAdapter{ // @Bean // public UserDetailsService userDetailsService() { // InMemoryUserDetailsManager manager = new InMemoryUserDetailsManager(); // manager.createUser(User.withDefaultPasswordEncoder().username("user").password("password").roles("USER").build()); // return manager; // } @Autowired public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception { auth.inMemoryAuthentication().withUser("user").password("user").roles("USER"); auth.inMemoryAuthentication().withUser("admin").password("admin").roles("ADMIN"); auth.inMemoryAuthentication().withUser("superadmin").password("superadmin").roles("SUPERADMIN"); } @Override protected void configure(HttpSecurity http) throws Exception { http.csrf().disable(); http.authorizeRequests() .antMatchers("/**").permitAll() .antMatchers("/resources/**").permitAll() .antMatchers("/accaunt").access("hasRole('ROLE_USER')") .antMatchers("/admin").access("hasRole('ROLE_SUPERADMIN')") .anyRequest().authenticated() .and() .formLogin().defaultSuccessUrl("/", false) // .loginPage("/login") .permitAll() .and() .logout() .permitAll(); } }
  • 2
    Change the sequence of filters. In the beginning there should be more stringent filters, and more general ones after them. You have the opposite. - aleshka-batman
  • @ aleshka-batman thank you very much. I am at the stage of study, did not know. - Alexey Zemtsov
  • @ aleshka-batman add the answer, I will mark it as correct - Alexey Zemtsov

1 answer 1

FilterSecurityInterceptor

Patterns are checked in the order in which they are declared. That is, if you have announced:

 .antMatchers("/**").permitAll() .antMatchers("/accaunt").access("hasRole('ROLE_USER')")

this means that the first pattern will overlap the second, and the path "/ accaunt" will not be protected. More specific patterns should be declared earlier than more general ones:

 .antMatchers("/accaunt").access("hasRole('ROLE_USER')") .antMatchers("/**").permitAll()