Preamble: Since Spring-Security 3.2 there is a nice annotation @AuthenticationPrincipal described at the end of this answer. This is the best way to go when you use Spring-Security >= 3.2. When you: use an older version of Spring-Security, need to load your custom User Object from the Database by some information (like the login or … Read more
Your first matcher anyRequest() is always applied, because the order of matchers is important, see HttpSecurity#authorizeRequests: Note that the matchers are considered in order. Therefore, the following is invalid because the first matcher matches every request and will never get to the second mapping: http.authorizeRequests().antMatchers(“/**”).hasRole(“USER”).antMatchers(“/admin/**”) .hasRole(“ADMIN”) Your modified and simplified configuration: @Override protected void configure(HttpSecurity … Read more
Look at the Spring Security Reference: @EnableWebSecurity public class MultiHttpSecurityConfig { @Autowired public void configureGlobal(AuthenticationManagerBuilder auth) { 1 auth .inMemoryAuthentication() .withUser(“user”).password(“password”).roles(“USER”).and() .withUser(“admin”).password(“password”).roles(“USER”, “ADMIN”); } @Configuration @Order(1) 2 public static class ApiWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter { protected void configure(HttpSecurity http) throws Exception { http .antMatcher(“/api/**”) 3 .authorizeRequests() .anyRequest().hasRole(“ADMIN”) .and() .httpBasic(); } } @Configuration 4 public static class … Read more
Spring Security can now leverage Spring MVC CORS support described in this blog post I wrote. To make it work, you need to explicitly enable CORS support at Spring Security level as following, otherwise CORS enabled requests may be blocked by Spring Security before reaching Spring MVC. If you are using controller level @CrossOrigin annotations, … Read more
CORS’ preflight request uses HTTP OPTIONS without credentials, see Cross-Origin Resource Sharing: Otherwise, make a preflight request. Fetch the request URL from origin source origin using referrer source as override referrer source with the manual redirect flag and the block cookies flag set, using the method OPTIONS, and with the following additional constraints: Include an … Read more
You have to name your authority with prefix ROLE_ to use isUserInRole, see Spring Security Reference: The HttpServletRequest.isUserInRole(String) will determine if SecurityContextHolder.getContext().getAuthentication().getAuthorities() contains a GrantedAuthority with the role passed into isUserInRole(String). Typically users should not pass in the “ROLE_” prefix into this method since it is added automatically. For example, if you want to determine … Read more