How to differentiate public and private pages in Spring Boot?

Question

I am making a Spring Boot app for learning purpose only. In it I have a home.jsp page with URL pattern /home, a first.jsp page with URL pattern /first and similarly a second.jsp page with URL pattern /second.

Now I want to make /home as public page (accessible by all) and want to make /first and /second secure.

What I am trying is:

@Override
protected void configure(HttpSecurity http) throws Exception {
    http
        .authorizeRequests()
            .antMatchers("/home").permitAll()
            .anyRequest().authenticated();
}

http://localhost:8080/home is working fine but http://localhost:8080/first and http://localhost:8080/second are getting following error:

Whitelabel Error Page

This application has no explicit mapping for /error, so you are seeing this as a fallback.

Wed Sep 04 20:02:52 IST 2019

There was an unexpected error (type=Forbidden, status=403). Access Denied

Answer 1

In this case, What actually required is the 'Role based authentication'

@Configuration
@EnableAutoConfiguration
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

@Autowired
DataSource dataSource;

@Override
 protected void configure(HttpSecurity http) throws 
 Exception 
 {
     http.authorizeRequests()
    .antMatchers("/first").hasRole("SECURE_USERS")
    .antMatchers("/second").hasRole("SECURE_USERS")
    .antMatchers("/","/home").permitAll().anyRequest().authenticated().and()
    .formLogin().loginPage("/login").permitAll().and().logout().permitAll();
     http.exceptionHandling().accessDeniedPage("/403");
}

@Autowired
 public void configAuthentication(AuthenticationManagerBuilder auth) throws 
 Exception 
{
     auth.jdbcAuthentication().dataSource(dataSource)
    .passwordEncoder(passwordEncoder())
    .usersByUsernameQuery("select username,password, enabled from users where username=?")
    .authoritiesByUsernameQuery("select username, role from user_roles where username=?");
}

 public BCryptPasswordEncoder passwordEncoder() {
    return new BCryptPasswordEncoder();
}

}

The user:

@Entity
@Table(name = "users")
public class Users {

@Id
@GeneratedValue(strategy = GenerationType.AUTO)
@Column(name = "users_id", nullable = false)
private Integer users_id;

@Column(name = "username", nullable = false, unique = true)
private String username;

@Column(name = "password")
@Transient
private String password;

public Integer getUsers_id() {
    return users_id;
}

public void setUsers_id(Integer users_id) {
    this.users_id = users_id;
}

public String getUsername() {
    return username;
}

public void setUsername(String username) {
    this.username = username;
}

public String getPassword() {
    return password;
}

public void setPassword(String password) {
    this.password = password;
}
}

The user role:

@Entity
@Table(name = "user_roles", uniqueConstraints = 
@UniqueConstraint(columnNames = { "username", "role" }))
public class UserRoles {
@Id
@GeneratedValue(strategy = GenerationType.AUTO)
@Column(name = "user_roles_fl_id", nullable = false)
private Integer user_roles_fl_id;

@Column(name = "username", nullable = false)
private String username;

@Column(name = "role")
private String role;

public Integer getUser_roles_fl_id() {
    return user_roles_fl_id;
}

public void setUser_roles_fl_id(Integer user_roles_fl_id) {
    this.user_roles_fl_id = user_roles_fl_id;
}

public String getUsername() {
    return username;
}

public void setUsername(String username) {
    this.username = username;
}

public String getRole() {
    return role;
}

public void setRole(String role) {
    this.role = role;
}

}