I am trying to implement SpringSecurity mechanism on this little project, that will limit interactions with the URL of the request by roles.
I have two roles USER and ADMIN, USER can see the items, but not add or delete them, while ADMIN can do both.
Now the problem, the requests from USER role and even unauthenticated users to create/delete/read an item are allowed somehow. It seems to me that my application is not configured correctly somewhere.
SecurityConfig:
@EnableWebSecurity @EnableGlobalMethodSecurity(prePostEnabled = true) @Configuration public class SecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { auth.inMemoryAuthentication() .withUser("user").password("{noop}12345").roles("USER").and() .withUser("admin").password("{noop}12345").roles("ADMIN"); } @Override protected void configure(HttpSecurity http) throws Exception { http.httpBasic().and().authorizeRequests() .antMatchers("api/**").hasRole("ADMIN") .antMatchers("api/items", "api/items/").hasRole("USER") .anyRequest().authenticated() .and().csrf().disable().headers().frameOptions().disable(); } } Controller:
@RestController public class ItemController { @Autowired private ItemService itemService; @GetMapping("/api/items") public List<Item> getItems() { return itemService.getAllItems(); } @PostMapping(value = "/api/addItem",consumes = {"application/json"},produces = {"application/json"}) @ResponseBody public Item addItem(@RequestBody Item item) { itemService.addItem(item); return item; } @DeleteMapping(value = "api/deleteItem/{id}") @ResponseBody public String deleteItem(@PathVariable int id) { itemService.deleteItem(id); return "Deleted"; } } I am sending requests to the following URL's:
http://localhost:8080/api/items // GET http://localhost:8080/api/addItem // POST http://localhost:8080/api/deleteItem/4 // DELETE 
