Secure Admin Panel (Spring Security)

Question

I want to secure admin panel. I've added to Spring Security:

 .antMatchers("/admin/**").hasAuthority("ADMIN")

My User model contains (which implements UserDetails ):

    @Override
    @OneToMany(fetch=FetchType.LAZY, mappedBy = "user", cascade = CascadeType.ALL)
    @JsonIgnore
    public Set<Authority> getAuthorities() {
        return authorities;
    }

    public void setAuthorities(Set<Authority> authorities){
        this.authorities = authorities;
    }

Authority model contains (which implements GrantedAuthority):

@ManyToOne
    @JoinColumn(name="user_id")
    public User getUser() {
        return user;
    }

    public void setUser(User user) {
        this.user = user;
    }

Problem: When I add, this row with andMatchers and try access to this controller, it shows error:

<pre>java.lang.NullPointerException
    org.springframework.security.core.authority.AuthorityUtils.authorityListToSet(AuthorityUtils.java:39)
    org.springframework.security.access.expression.SecurityExpressionRoot.getAuthoritySet(SecurityExpressionRoot.java:128)
    org.springframework.security.access.expression.SecurityExpressionRoot.hasRole(SecurityExpressionRoot.java:60)
    org.springframework.security.access.expression.SecurityExpressionRoot.hasAuthority(SecurityExpressionRoot.java:52)
    sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    java.lang.reflect.Method.invoke(Method.java:483)

Answer 1

Since the security evaluation probably is made outside transaction, use EAGER fetching for authorities. I also suggest a lazy initialization so that the method never returns null.

@OneToMany(fetch=FetchType.EAGER, mappedBy = "user", cascade = CascadeType.ALL)
public Set<Authority> getAuthorities() {
    if (authorities == null)
        authorities = new HashSet<Authority>();
    return authorities;
}