I have spring actuator and administration endpoint for my web application.
In configure of my spring security I have following code :
.and()
.authorizeRequests()
.antMatchers("/actuator/**", "/administration/**")
.hasAuthority(Authority.ADMIN.name())
This does not seem to work, desired outcome is that only User with a authority of admin, can access these endpoints, right now, any authenticated user can do it. I did it with user that has authority of USER and not admin and it works.
This is too dangerous for me And i dont want to put password protection in place when this can be managed by Authorities.
So how can i make sure that only users with Authority of ADMIN can access the following endpoints ?
I have posted only this small snipped of code , tell me if anything else is required in order for you to be able to help :).
And yes I have debugged this and authorities in my process are set correctly, admin has auth admin and it works for both basic auth and oauth2. Anyone knows what could be happening?
Only person that is not logged in at all cant access these endpoints at the moment, Here is my full security config :
// @formatter:off
httpSecurity
.authorizeRequests()
.antMatchers(
Utils.MAPPING_INDEX,
Utils.MAPPING_ARTICLE,
Utils.MAPPING_IMAGE,
Utils.MAPPING_ERROR,
Utils.MAPPING_VERIFY_MAIL,
Utils.MAPPING_REGISTER,
Utils.MAPPING_LOGIN,
Utils.MAPPING_LOGIN_ERROR,
Utils.MAPPING_LOGIN_VERIFIED,
Utils.MAPPING_LOGIN_VERIFICATION_ERROR,
Utils.MAPPING_RESET_PASSWORD,
Utils.MAPPING_LOGIN_PASSWORD_RESET_SUCCESS,
Utils.MAPPING_LOGIN_PASSWORD_RESET_LOCKED,
Utils.MAPPING_RESET_PASSWORD_RESET_MAIL_SEND,
Utils.MAPPING_LOGIN_PASSWORD_RESET_FAILURE,
Utils.MAPPING_INDEX_LOGOUT_SUCCESS,
Utils.MAPPING_REGISTER_SUCCESS,
Utils.MAPPING_REGISTER,
Utils.MAPPING_RESET_PASSWORD,
Utils.MAPPING_RESET_PASSWORD_NEW_PASSWORD,
Utils.MAPPING_AUTHOR,
Utils.MAPPING_CONTACT,
Utils.MAPPING_CONTACT_SUCCESS,
Utils.MAPPING_CONTACT_FAILURE,
Utils.MAPPING_REPORT_WORKAROUND,
"/test",
"/test1",
"/frag1",
"/frag2",
"/css/**",
"/js/**",
"/img/**",
"/fonts/**",
"/external/**",
"/favicon.ico",
"/favicon_32.ico",
"/favicon.svg"
).permitAll()
.anyRequest().authenticated()
.and()
.authorizeRequests()
.antMatchers("/actuator/**", "/administration/**")
.hasAuthority(Authority.ADMIN.name())
.and()
.formLogin()
.loginPage(Utils.MAPPING_LOGIN)
.loginProcessingUrl(Utils.MAPPING_LOGIN)
.usernameParameter("email")
.passwordParameter("password")
.successHandler(basicAuthenticationSuccessHandlerImpl)
.failureUrl(Utils.MAPPING_LOGIN_ERROR)
.and()
.logout()
.logoutUrl(Utils.MAPPING_INDEX)
.logoutSuccessUrl(Utils.MAPPING_INDEX_LOGOUT_SUCCESS)
.invalidateHttpSession(true)
.and()
.oauth2Login()
.loginPage(Utils.MAPPING_LOGIN)
.successHandler(oauth2AuthenticationSuccessHandler);
// @formatter:on
}
This question was answered in the comment, unfortunately commenter didnt post answer so i do it. All credit to M. Deinum.
Correct solution is to move
.anyRequest().authenticated()
Into last position of httpsecurity configuration. Ordering in this case matters.