0
votes

Spring security config

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
    @Autowired
    private UsersDetailsService usersDetailsService;
    @Autowired
    private JwtFilter jwtFilter;

    public SecurityConfig(UsersDetailsService usersDetailsService) {
        this.usersDetailsService = usersDetailsService;
    }

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.authenticationProvider(daoAuthenticationProvider());
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.csrf().disable().cors().and().authorizeRequests()
                .antMatchers("/api/authenticate").anonymous()
                .antMatchers("/api/generateTPAC").anonymous()
                .antMatchers("/api/register").anonymous()
                .antMatchers("/api/generate2FAcode").anonymous()
                .antMatchers("/api/verify-email**").anonymous()
                .antMatchers("/api/retrieveUserInfo").permitAll()
                .antMatchers("/api/validateToken").permitAll()
                .antMatchers("/api/update**").permitAll()
                .antMatchers("/api/uploadImage").permitAll()
                .antMatchers("/api/image").permitAll()
                .anyRequest().authenticated()
                .and()
                .exceptionHandling()
                .and()
                .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
        http.addFilterBefore(jwtFilter, UsernamePasswordAuthenticationFilter.class);
    }

    @Bean
    DaoAuthenticationProvider daoAuthenticationProvider() {
        DaoAuthenticationProvider daoAuthenticationProvider = new DaoAuthenticationProvider();
        daoAuthenticationProvider.setUserDetailsService(usersDetailsService);
        daoAuthenticationProvider.setPasswordEncoder(passwordEncoder());
        return daoAuthenticationProvider;
    }

    @Bean(name = BeanIds.AUTHENTICATION_MANAGER)
    @Override
    public AuthenticationManager authenticationManagerBean() throws Exception {
        return super.authenticationManagerBean();
    }

}

Hello i have trouble setting antMatchers authorization.. It is not working as it should. Only what works is permitAll and denyAll, anonymous,hasRole,authenticated are not working.. I tried use .access(hasRole()) but this aint working at all tho..

1

1 Answers

0
votes

Since you are using UserDetailsService which returns an instance of the interface org.springframework.security.core.userdetails.UserDetails which uses Authorities .

So you control access like this

.antMatchers("/api/authenticate").hasAuthority("ROLE_ANONYMOUS")

or

.antMatchers("/api/authenticate").hasAuthority("ROLE_ADMIN")

Please verify your bean of UserDetailsService also . It should have loadUserByUsername function which returns instance of org.springframework.security.core.userdetails.UserDetails . Check the authorities in this object.