I've two URLs in my application:
/sa/abc
(which should be accessible to role - ABC) /sa/practice
(which should be accessible to role - ADMIN) For this I've configured:
http
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
.authorizeRequests()
.antMatchers("/sa/**").authenticated()
.antMatchers("/sa/abc/**").hasAnyAuthority("ABC")
.antMatchers("/sa/practices/**").hasAnyAuthority("ADMIN")
I was expecting user with role ABC
will not be able to access /sa/practices/link1
, but he is able to.
Also I want to know what will happen to the links which are not mentioned in antMatchers
. My guess is they can be accessed without any issue regardless of the role.
Am I correct?
Order matters. The first ant pattern that matches decides the access. So in your case:
http
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.authorizeRequests()
.antMatchers("/sa/abc/**").hasAnyAuthority("ABC")
.antMatchers("/sa/practices/**").hasAnyAuthority("ADMIN")
.antMatchers("/sa/**").authenticated()
Note that the least specific path is last.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.