Spring Security未授权用户

Question

I'm new to Spring Security and I'm developing a web app which requires authentication and authorization using Spring Security 3.2, the authentication part is working fine but the authorization is not. Below is my spring security configuration xml snippet.

<authentication-manager>
    <authentication-provider>
        <password-encoder ref="encoder" />
        <jdbc-user-service data-source-ref="myDataSource"
            users-by-username-query=" SELECT email_address as username , password, enabled FROM users WHERE email_address = ?   "
            authorities-by-username-query=" SELECT u.email_address as username , 
                                            r.role_name FROM users u
                                            INNER JOIN user_roles ur
                                            ON ur.user_id = u.user_id
                                            INNER JOIN roles r
                                            ON r.role_id = ur.role_id
                                            WHERE u.email_address = ? "/>
    </authentication-provider>
</authentication-manager>

<beans:bean id="encoder"
    class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder">
    <beans:constructor-arg name="strength" value="11" />
</beans:bean>

<http pattern="/resources/**" security="none" />

<http auto-config="true" use-expressions="true" create-session="ifRequired">

    <form-login login-page="/" default-target-url="/admin/dashboard"
        authentication-failure-url="/login-error" always-use-default-target="true" />

    <!-- Security zones -->
    <intercept-url pattern="/" access="isAnonymous()" />
    <intercept-url pattern="/admin*" access="hasRole('ROLE_ADMIN')" />

    <session-management invalid-session-url="/"
        session-fixation-protection="newSession">
        <concurrency-control max-sessions="1"
            error-if-maximum-exceeded="true" />
    </session-management>

    <logout logout-success-url="/" delete-cookies="JSESSIONID"
        invalidate-session="true" />

    <access-denied-handler error-page="/403" />
</http>

With this configuration everything works fine apart from authorization. I have two users viz tim@abc.com (role=ADMIN) and bob@abc.com(role=USER) , but when I try to login with bob@abc.com then also I'm able to view the admin/dashboard page which should not happen.

I've referred many tutorials and spring doc as well but not able to find the exact problem. Please help.

Answer 1

Change the pattern to "/admin/*"

<intercept-url access="hasRole('ROLE_ADMIN')" />

Your default-target-url="/admin/dashboard" seems to be confusing as for every user it will redirect to /admin/dashboard after login. You may get http UnAuthorized response when you login with bob@abc.com.