Search code examples
javaspring-bootuser-permissionshttpconfiguration

Java Spring Boot Login and Role Issues

I'm writing a basic Web App using Java Spring Boot and am currently having issues with the roles of my users in my database and access to different parts of the app. The users can either have the role "ADMIN" or "USER". The only difference between what's allowed for these 2 roles is that the ADMIN is able to visit the "/register" page, whereas the other people in the role USER cannot. I have posted the code for my http configure method below, and am not sure where I am going wrong. I want all users to be able to access the login page and only the ADMIN to access the "/register" page. The issue I'm experiencing is that as of now, for some reason, the "/home" page to my app is to able be seen without even logging in. Logging in with what I have below is not being enforced.

package bcoreHW.security;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.password.PasswordEncoder;

import bcoreHW.service.UserService;

@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    UserService userService;

    @Autowired
    private PasswordEncoder passwordEncoder;

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .authorizeRequests()
                .antMatchers( // allow users access to any files in js, css, and img directories
                    "/login",
                    "/js/**",
                    "/css/**",
                    "/img/**")
                .permitAll()
                .antMatchers("/register")
                .hasRole("ADMIN")
                .and()
            .formLogin()
                .loginPage("/login")
                .defaultSuccessUrl("/home")
                .permitAll()
                .and()
            .logout()
                .permitAll();
        }

//  @Autowired
//  public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
//      auth
//          .inMemoryAuthentication()
//          .withUser("test")
//          .password("hello")
//          .roles("USER");
//      }

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.userDetailsService(userService).passwordEncoder(passwordEncoder);
    }
}

If I change the configure() method to what I have below, however, at least the user is forced to login, and the permissions from there are correct on an "on-click" basis, but I am still able to go to the address bar and search for "/register" under a USER role, which is why I attempted to implement the first piece of code I posted. Neither have worked yet, and was hoping for some help. 

package bcoreHW.security;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.password.PasswordEncoder;

import bcoreHW.service.UserService;

@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    UserService userService;

    @Autowired
    private PasswordEncoder passwordEncoder;

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        //@formatter:off
        http
            .authorizeRequests()
                .antMatchers( // allow users access to any files in js, css, and img directories
                    "/login",
                    "/js/**",
                    "/css/**",
                    "/img/**")
                .permitAll()
            .anyRequest().
                authenticated()
                .and()
            .formLogin()
                .loginPage("/login")
                .defaultSuccessUrl("/home")
                .permitAll()
                .and()
            .logout()
                .permitAll();
        }

//  @Autowired
//  public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
//      auth
//          .inMemoryAuthentication()
//          .withUser("test")
//          .password("hello")
//          .roles("USER");
//      }

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.userDetailsService(userService).passwordEncoder(passwordEncoder);
    }
}
Solution

  • Make sure you are storing the users with roles as ROLE_ADMIN and ROLE_USER in the database

     @Override
    public void configure(HttpSecurity http) throws Exception {

        http
            .csrf().disable()
            .authorizeRequests()
            .antMatchers( "/login", "/js/**", "/css/**", "/img/**").permitAll() // allow users access to any files in js, css, and img directories
            .antMatchers("/register").hasRole("ADMIN")
            .anyRequest().authenticated()
            .and()
            .formLogin().loginPage("/login")
            .defaultSuccessUrl("/home").permitAll()
            .and()
            .logout().permitAll();
}