Issue
here is my security config:
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().antMatchers("**/feedback")
.access("hasAnyAuthority('MANAGER','EMPLOYEE')")
.and().authorizeRequests().antMatchers("/api/**","/ticket/**")
.access("isAuthenticated()")
.and().authorizeRequests().antMatchers("**/create/**")
.access("hasAnyAuthority('MANAGER','EMPLOYEE')")
.and().formLogin().loginPage("/login").failureUrl("/login?error")
.and().formLogin().defaultSuccessUrl("/ticket/all", true)
.usernameParameter("email")
.passwordParameter("password")
.and().csrf().disable();
}
i want everyone to have access for viewing tickets "/ticket" , but i want to forbid access for an engineer to /ticket/create and /ticket/**/feedback. Right now
antMatchers("/api/**","/ticket/**")
.access("isAuthenticated()")
Allows to access everyone. How should i do it properly? Is there some kind of overwriting rule for multiple antMatchers?
Solution
i want everyone to have access for viewing tickets "/ticket"
Everyone means Authenticated user? or Authenticated+Anonymous user ?
For Authenticated user
.antMatchers("/ticket").access("isAuthenticated()")
For Authenticated+Anonymous
.antMatchers("/ticket").permitAll()
but i want to forbid access for an engineer to
/ticket/create
and/ticket/**/feedback
.
*Engineer? Your question has incomplete information.
Assuming roles MANAGER
EMPLOYEE
and ENGINEER
and all are authenticated users then
Modify for allowing ticket creation only for MANAGER
and EMPLOYEE
http.authorizeRequests()
.antMatchers("**/feedback")
.access("hasAnyAuthority('MANAGER','EMPLOYEE')")
.and().authorizeRequests()
.antMatchers("/api/**","/ticket/**")
.access("isAuthenticated()")
.and().authorizeRequests()
.antMatchers("**/create/**")
.access("hasAnyAuthority('MANAGER','EMPLOYEE')")
to
http.authorizeRequests()
.antMatchers("/ticket").access("isAuthenticated()") //or .permitAll() as explained already
.antMatchers("**/feedback", "/ticket/**", "**/create/**")
.access("hasAnyAuthority('MANAGER','EMPLOYEE')")
.antMatchers("/api/**")
.access("isAuthenticated()");
Answered By - PraveenKumar Lalasangi