0

I have below configuration class where I would like to authorize certain requests and deny all others. 

@Configuration @EnableWebSecurity public class SecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http .httpBasic() .and() .authorizeRequests() .antMatchers("/phx-config-rest/dev/master").hasRole("DEV") .anyRequest().authenticated() .and() .csrf() .disable(); } @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { auth. inMemoryAuthentication() .withUser("devuser") .password("dev") .roles("DEV"); } }

As per this code my impression was, Spring will only allow me to access /phx-config-rest/dev/master using the user 'devuser' and If I try access /phx-config-rest/prod/master or any other url, request would considered as un-authorized access. BTW, this code piece is regarding Spring cloud config server. Any thought?

Improve this question
0

2 Answers 2

Reset to default
3

change the 

.anyRequest().authenticated()

to 

 .anyRequest().denyAll()
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

3

You restrict only URL /phx-config-rest/dev/master to users with role DEV, but all other URLs are accessible for every logged in user (including user devuser) with any role, see ExpressionUrlAuthorizationConfigurer.AuthorizedUrl#authenticated:

Specify that URLs are allowed by any authenticated user.

You have to use ExpressionUrlAuthorizationConfigurer.AuthorizedUrl#denyAll instead of authenticated:

Specify that URLs are not allowed by anyone.

Improve this answer

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.