Centroricerche rps
Reputation: 81
JHipster with @PreAuthorize always allow access
My Resource has this code:
@DeleteMapping("/devices/{id}")
@Timed
@PreAuthorize("hasAuthority('ROLE_ADMIN')")
public ResponseEntity<Void> deleteDevice(@PathVariable Long id) {
log.debug("REST request to delete Device : {}", id);
deviceService.delete(id);
return ResponseEntity.noContent().headers(HeaderUtil.createEntityDeletionAlert(applicationName, true, ENTITY_NAME, id.toString())).build();
}
It is supposed to be executed only by users with 'ROLE_ADMIN'. However, any logged user can run it, even if they don't possess the ROLE_ADMIN authority.
I've also tried by adding
.antMatchers(HttpMethod.DELETE,"/api/**").hasAuthority(AuthoritiesConstants.ADMIN)
on the SecurityConfiguration, but requests are never blocked. What am I missing? I'm using JHipster 6.9.1
Upvotes: 0
Views: 274
Answers (1)
sudo
Reputation: 775
As mentioned in my comment - enable prePostEnabled in your Configuration as well to active the method security:
@EnableGlobalMethodSecurity(
prePostEnabled = true,
...)
Why it isnt't enabled by default by JHipster I don't know
Upvotes: 1
Related Questions
- Multiple roles using @PreAuthorize
- Unable to access API due to authorisation
- @PreAuthorize returns 403
- Jhipster Authority will effect only on a system restart
- JHipster User Authorization Implemetation
- jhipster fine grain authorization, remove ROLE based authorization
- Jhipster new Roles - Full authentication is required
- Jhipster + REST client + authentication
- JHipster with OpenIDConnect Authentication
- Jhipster get user oauth