How to restrict access to html pages based on roles with spring security?
Question
I want the users to have access to html pages based on their role. For example only the ones with HR role should be able to view settings.html page and only those who are managers should see pendingrequest.html.
This is my security configuration:
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private DatabaseAuthenticationProvider authenticationProvider;
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers("/js/**", "/css/**", "/img/**");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.formLogin().loginPage("/login").failureUrl("/login").defaultSuccessUrl("/")
.and().logout().logoutSuccessUrl("/login")
.and().authorizeRequests().antMatchers("/login").permitAll()
.antMatchers("/settings.html").hasRole("HR")
.antMatchers("/pendingRequests.html").hasRole("MANAGER")
.antMatchers("/settings.html","/pendingRequests.html").hasRole("ADMIN")
.anyRequest().authenticated().and().csrf().disable();
}
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(authenticationProvider).eraseCredentials(false);
}
}
For some reason what I've tried there doesn't work, no matter what role I have I cannot see those pages.
1 answers
solution1
0 2016-08-19 15:50:24
Spring security by default adds ROLE_ prefix to all roles defined in security checks.
You can rename your role names to have ROLE_ prefix or remove that prefix from your configuration ( How do I remove the ROLE_ prefix from Spring Security with JavaConfig? )
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.