I have a problem where I cannot acces any url while logged in on an accont with a custom defined ROLE.
To create the new roles for my app, I added my new roles in the AuthoritiesConstants class and in authorities.csv.
Then I manually inserted my new desired roles : ROLE_STUDENT and ROLE_PROFESOR in my h2-database.
Then I logged in on the admin account and tried and succeeded to create a new user with the ROLE_STUDENT.
Then I logged on to this new account and tried to access http://localhost:9000/api/users to get the full list of users.
I got the following error :
2020-03-19 10:59:05.687 DEBUG 13892 --- [ XNIO-1 task-15] base.aop.logging.LoggingAspect : Enter: base.repository.CustomAuditEventRepository.add() with argument[s] = [AuditEvent [timestamp=2020-03-19T08:59:05.686Z, principal=anonymousUser, type=AUTHORIZATION_FAILURE, data={details=org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null, type=org.springframework.security.access.AccessDeniedException, message=Access is denied}]]
2020-03-19 10:59:05.691 DEBUG 13892 --- [ XNIO-1 task-15] base.aop.logging.LoggingAspect : Exit: base.repository.CustomAuditEventRepository.add() with result = null
2020-03-19 10:59:05.693 WARN 13892 --- [ XNIO-1 task-15] o.z.problem.spring.common.AdviceTraits : Unauthorized: Full authentication is required to access this resource
2020-03-19 10:59:05.695 WARN 13892 --- [ XNIO-1 task-15] .m.m.a.ExceptionHandlerExceptionResolver : Resolved [org.springframework.security.authentication.InsufficientAuthenticationException: Full authentication is required to access this resource]
In my SecurityConfiguration class, this url falls under .antMatchers("/api/**").authenticated(). So I was supposed to be able to access it from any account, as long as I am logged in.
To my dismay, it seems I cannot access any URL, apart from the home page, from this account. I manually checked my database to see if the user has been created and has the correct role. All is well there. Can someone help me solve this ?
You have to open the routes to the new roles too, this is done on the client side. This is more or less how it looks if you use angular.
The home component is open to anyone as you can see in the file home.route.ts.
export const HOME_ROUTE: Route = {
path: '',
component: HomeComponent,
data: {
authorities: [], // <- Empty, so anyone can access the home
pageTitle: 'home.title'
}
};
On the other hand, if you want to grant access to a new role in a regular component, you'll have to add it to the valid authorities array in your [entity-name].route.ts.
export const fooRoute: Routes = [
{
...
data: {
authorities: ['ROLE_STUDENT', 'ROLE_PROFESOR'],
...
},
...
That gives access to any user who has either ROLE_STUDENT or ROLE_PROFESOR, but not regular users (who only have ROLE_USER). This was just an example.
In any case, if I understood your question correctly, you were trying to access an api/... mapping directly in your browser. That's not a good idea and it's good that it fails since the client usually adds stuff to most requests so that they are properly handled and validated by the server (XSRF, auth token, ...).