CODEWITHSUNDEEP
javaspringspring-securityspring-boot
user1609848
user1609848

Reputation: 143

Forbidden with Spring Security and @Secured

I have setup Spring Security as follows:

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(securedEnabled = true)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

@Autowired
private MongoUserDetailsService userServiceDetails;

@Autowired
private BCryptPasswordEncoder bCryptEncoder;

@Override
public void configure(WebSecurity web) throws Exception {
    web.ignoring().antMatchers("/js/**", "/css/**", "/fonts/**");
}

@Override
protected void configure(HttpSecurity http) throws Exception {
    http
            .authorizeRequests()
                .anyRequest().authenticated()
                .and()
            .csrf().disable()
            .formLogin()
                .defaultSuccessUrl("/index", true)
                .loginPage("/login")
                .permitAll()
                .and()
            .httpBasic()
            .and()
            .logout()
                .permitAll()
                .deleteCookies("JSESSIONID")
                .invalidateHttpSession(true);
}

@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
    auth
       .userDetailsService(userServiceDetails)
       .passwordEncoder(bCryptEncoder);
}

And on my controller I have the following:

@RequestMapping(method = RequestMethod.GET)
@Secured({"ADMIN"})
public List<Item> getItems(@RequestBody filter filter) {

    if (filter.hasMissingField()) {
        return new ArrayList<>();
    }

    return service.getItems(filter);
}

On logging in the user details object has the roles needed (In debug):

enter image description here

However, I am getting a 403 - Forbidden. I can't see why. If I remove the @Secured then I can access the page fine, but with @Secured({"ADMIN"}) it fails.

I have combed SO and I see errors in relation to @Secured not working at all, errors in relation to @Secured having no effects at the Controller level but not like my current scenario where it is failing to authorise with the needed role present.

If it helps I am using Spring Boot 1.3.2.

Any help will be appreciated. Thanks

Upvotes: 1

Views: 2385

Answers (1)

gerrytan
gerrytan

Reputation: 41143

You have to put @Secured({"ROLE_ADMIN"}) with ROLE_ prefix

Upvotes: 10

Related Questions