How to Correctly Order Request Matchers in Spring Security for Role-Based Access Control?

Fixing Role Management in Spring Security

Your issue with role-based access control in Spring Security stems from the order of your request matchers. The matcher for any request should come after specific role-based matchers.

To resolve this and restrict admin access, modify your configuration as follows:

@Override
protected void configure(HttpSecurity http) throws Exception {
    http
        .csrf().disable()      
        .httpBasic()
            .and()
        .authorizeRequests()
            .antMatchers("/users/all").hasRole("admin")
            .anyRequest().authenticated() // Moved after role-based matcher
            .and()
        .formLogin()
            .and()
        .exceptionHandling().accessDeniedPage("/403");
}

With this configuration, requests to /users/all will require the admin role, while all other requests will require any authenticated user.

The above is the detailed content of How to Correctly Order Request Matchers in Spring Security for Role-Based Access Control?. For more information, please follow other related articles on the PHP Chinese website!