I was try write demo about spring security3, and come with problem that hasRole() is not effect, here is part of code, each request will be transfer to exceptionHandling().
<code>@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {=
String[] userResource = this.appendPrefix(securityProps.getUserUrls());
final String[] adminResource = this.appendPrefix(securityProps.getAdminUrls());
final String[] commonResource = this.appendPrefix(securityProps.getCommonUrls());
=
http.authorizeHttpRequests(auth -> {
// grant resource to role
auth.requestMatchers(userResource).hasRole(SecurityConst.ROLE_USER)
.requestMatchers(adminResource).hasRole(SecurityConst.ROLE_ADMIN)
// whitelist
.requestMatchers(commonResource).permitAll()
// default need auth
.anyRequest().authenticated();
})
.httpBasic(Customizer.withDefaults())
// login config
.formLogin(form -> {
form.loginProcessingUrl(securityProps.getLoginUrl().trim()).permitAll()
.successHandler(this::loginSuccessHandle)
.failureHandler(this::loginFailureHandle);
})
.logout(LogoutConfigurer::permitAll)
.exceptionHandling(handle -> {
handle.authenticationEntryPoint(this::unAuthHandle);
})
.addFilterBefore(requestFilter(), UsernamePasswordAuthenticationFilter.class)
.csrf(AbstractHttpConfigurer::disable)
.cors(Customizer.withDefaults());
return http.build();
}
</code>
<code>@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {=
String[] userResource = this.appendPrefix(securityProps.getUserUrls());
final String[] adminResource = this.appendPrefix(securityProps.getAdminUrls());
final String[] commonResource = this.appendPrefix(securityProps.getCommonUrls());
=
http.authorizeHttpRequests(auth -> {
// grant resource to role
auth.requestMatchers(userResource).hasRole(SecurityConst.ROLE_USER)
.requestMatchers(adminResource).hasRole(SecurityConst.ROLE_ADMIN)
// whitelist
.requestMatchers(commonResource).permitAll()
// default need auth
.anyRequest().authenticated();
})
.httpBasic(Customizer.withDefaults())
// login config
.formLogin(form -> {
form.loginProcessingUrl(securityProps.getLoginUrl().trim()).permitAll()
.successHandler(this::loginSuccessHandle)
.failureHandler(this::loginFailureHandle);
})
.logout(LogoutConfigurer::permitAll)
.exceptionHandling(handle -> {
handle.authenticationEntryPoint(this::unAuthHandle);
})
.addFilterBefore(requestFilter(), UsernamePasswordAuthenticationFilter.class)
.csrf(AbstractHttpConfigurer::disable)
.cors(Customizer.withDefaults());
return http.build();
}
</code>
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {=
String[] userResource = this.appendPrefix(securityProps.getUserUrls());
final String[] adminResource = this.appendPrefix(securityProps.getAdminUrls());
final String[] commonResource = this.appendPrefix(securityProps.getCommonUrls());
=
http.authorizeHttpRequests(auth -> {
// grant resource to role
auth.requestMatchers(userResource).hasRole(SecurityConst.ROLE_USER)
.requestMatchers(adminResource).hasRole(SecurityConst.ROLE_ADMIN)
// whitelist
.requestMatchers(commonResource).permitAll()
// default need auth
.anyRequest().authenticated();
})
.httpBasic(Customizer.withDefaults())
// login config
.formLogin(form -> {
form.loginProcessingUrl(securityProps.getLoginUrl().trim()).permitAll()
.successHandler(this::loginSuccessHandle)
.failureHandler(this::loginFailureHandle);
})
.logout(LogoutConfigurer::permitAll)
.exceptionHandling(handle -> {
handle.authenticationEntryPoint(this::unAuthHandle);
})
.addFilterBefore(requestFilter(), UsernamePasswordAuthenticationFilter.class)
.csrf(AbstractHttpConfigurer::disable)
.cors(Customizer.withDefaults());
return http.build();
}
but if I try replace it with auth.requestMatchers("/**").permitAll() it was not problem.
It stuck me few hour, can someone help me, here is my full code in github: GitHub Repo