CODEWITHSUNDEEP
javaspringspring-mvcspring-security
ASR
ASR

Reputation: 3559

access specific URL for specific user in spring security

I have two roles in my application,one role is for guest to view data and the other role is admin.In admin page, admin can edit data and in view page guest role can view data. when I try to access the URL's I can see both pages view and admin for the guest and admin,but I want like guest should not access admin page.

The following is my spring security file:

<b:beans xmlns="http://www.springframework.org/schema/security"
         xmlns:b="http://www.springframework.org/schema/beans"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
                        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd">

    <http auto-config="true" use-expressions="true">
        <!-- Adds Support for basic authentication -->
        <intercept-url pattern="/admin" access="hasAnyRole('ROLE_USER')" />
        <!-- <http-basic /> -->
        <form-login login-page="/login" authentication-failure-url="/loginFailed" default-target-url="/view" />
        <logout />
    </http>
    <authentication-manager>
        <authentication-provider>
            <user-service>
                <user name="leader" password="1234" authorities="ROLE_ADMIN" />
                <user name="sudheer" password="1234" authorities="ROLE_USER" />
            </user-service>
        </authentication-provider>
    </authentication-manager>
</b:beans>

And the following is my controller class:

@RequestMapping(value="/admin", method=RequestMethod.GET)
    public ModelAndView admin(){

            ModelAndView model = new ModelAndView();

            List<ApplicationTO> list=application.getApplicationList();
            model.addObject("applicationList", list);
            model.setViewName("admin");

            return model;

        }

    @RequestMapping(value="/view", method=RequestMethod.GET)
    public ModelAndView view(){

            ModelAndView model = new ModelAndView();
            List<ApplicationTO> list=application.getApplicationList();
            model.addObject("applicationList", list);
            model.setViewName("view");

            return model;

        }

Upvotes: 0

Views: 652

Answers (1)

maria.m
maria.m

Reputation: 110

Please change - <intercept-url pattern="/admin" access="hasAnyRole('ROLE_USER')" /> from your code to

<intercept-url pattern="/admin/**" access="hasRole('ROLE_ADMIN')" />

Upvotes: 2

Related Questions