CODEWITHSUNDEEP
springspring-security
Alexander Tukanov
Alexander Tukanov

Reputation: 543

Spring security doest not restrict access

I have Spring MVC project and try to add security. My problem is that spring doesn't deny access to pages. I mean if I go to /product page, it will open. I have the following security config:

@Configuration
@EnableWebSecurity
public class SecureConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    public void configureGlobalSecurity(AuthenticationManagerBuilder auth)
            throws Exception {
        auth.inMemoryAuthentication().withUser("a").password("1")
                .roles("USER");
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
                .authorizeRequests()
                .anyRequest().authenticated();
        http.csrf().disable();
    }
}

At first, I thought, these methods are not executed by spring context, but then I found that they are executed. if I understand correctly, this configuration should deny access to all pages, but the opposite happens, I can go to any page (/, /product, /test pages)

My security dependencies:

 <dependency>
    <groupId>org.springframework.security</groupId>
    <artifactId>spring-security-web</artifactId>
    <version>5.4.0</version>
</dependency>


<dependency>
    <groupId>org.springframework.security</groupId>
    <artifactId>spring-security-config</artifactId>
    <version>5.4.0</version>
</dependency>

<dependency>
    <groupId>org.springframework.security</groupId>
    <artifactId>spring-security-core</artifactId>
    <version>5.4.0</version>
</dependency>

Application class:

public class Application implements WebApplicationInitializer {

    Logger logger = LoggerFactory.getLogger(Application.class);
    @Override
    public void onStartup(ServletContext servletContext) throws ServletException {
        AnnotationConfigWebApplicationContext context = new AnnotationConfigWebApplicationContext();
        context.register(WebConf.class, SecureConfig.class);
        ServletRegistration.Dynamic dispatcher = servletContext.addServlet("dispatcher", new DispatcherServlet(context));
        dispatcher.addMapping("/*");
        dispatcher.setLoadOnStartup(1);
    }
}

Upvotes: 1

Views: 164

Answers (1)

Alexander Tukanov
Alexander Tukanov

Reputation: 543

I solved this problem by adding the following class:

public class SpringSecurityInitializer extends AbstractSecurityWebApplicationInitializer {
}

SpringSecurityFilterChain did not work without this class, that's why security didn't work.

Upvotes: 1

Related Questions