0

I want to verify the user's identity when he or she send a localhost:8080/submit request, so I added the following to SecurityConfig class:

@Override
protected void configure(HttpSecurity http) throws Exception {
    http
            .authorizeRequests()
            .antMatchers("/submit").access("hasRole('WORKER')")
            .antMatchers("/**").permitAll()
            .and()
            .formLogin()
            .loginPage("/login")
            .and()
            .logout()
            .logoutSuccessUrl("/")
            .and()
            .rememberMe()
            .tokenValiditySeconds(4838400)
            .key("workerKey");
}

I wish the page could redirect to localhost:8080/login when I input localhost:8080/submit in the address field. My Worker entity has the role "WORKER":

@Override
public Collection<? extends GrantedAuthority> getAuthorities() {
    return Arrays.asList(new SimpleGrantedAuthority("WORKER"));
}

I can register an account and redirect to the login page when I input "localhost:8080/submit". But when I input the correct username and password, it responds to me an error page instead of submit page:

There was an unexpected error (type=Forbidden, status=403). Forbidden

My submit page is simply a "welcome" word page. My mappings are 

@RequestMapping(value = "/login", method = RequestMethod.GET)
public String showLogin() {
    return "login";
}

@RequestMapping(value = "/submit", method = RequestMethod.GET)
public String showSubmit() {
    return "submit";
}

And when I input localhost:8080/submit again, it did not redirect to the login page this time. Instead, it redirects to the error page directly and show the same error. So what forbid me to redirect to the submit page?

yahoo
  • 293
  • 1
  • 4
  • 10
  • I don't know exactly the problem with your case. But if you want a working solution when the user should authenticate if it hits `/submit`, I can provide one. – ISlimani Jul 02 '18 at 03:35
  • @Dfor That would be also great! How do I get it? – yahoo Jul 02 '18 at 04:06

2 Answers2

0
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {


    @Override
    protected void configure(HttpSecurity http) throws Exception {

        http.authorizeRequests().anyRequest().fullyAuthenticated()

                .antMatchers("/submit").hasRole("WORKER").and().formLogin().permitAll().and().logout().permitAll();

    }

    @Bean
    public UserDetailsService userDetailsService() {
        // ensure the passwords are encoded properly
        @SuppressWarnings("deprecation")
        UserBuilder users = User.withDefaultPasswordEncoder();
        InMemoryUserDetailsManager manager = new InMemoryUserDetailsManager();
        manager.createUser(users.username("me").password("me").roles("WORKER").build());
        return manager;
    }

}

You can customize even more with your custom login page.

ISlimani
  • 1,643
  • 14
  • 16
0

I have find the problem myself. I need to change the role "WORKER" in the Worker class to "ROLE_WORKER". Like this

@Override
public Collection<? extends GrantedAuthority> getAuthorities() {
    return Arrays.asList(new SimpleGrantedAuthority("ROLE_WORKER"));
}

It seems I cannot simplify the role "ROLE_WORKER" into "WORKER" in the Worker class but can simplify it in the SecurityConfig class.

yahoo
  • 293
  • 1
  • 4
  • 10
  • 1
    see this url to remove prefix in spring security role https://stackoverflow.com/questions/38134121/how-do-i-remove-the-role-prefix-from-spring-security-with-javaconfig – hicham abdedaime Jul 02 '18 at 08:21