Roles & SecurityConfig
Hello so i have 3 roles
and i'm trying to write the authorities etc and here is my config
but for some reason when i hit this endpoint that requries it to be ADMIN such as this endpoint
it doesnt let me even when i'm authenticated and have a session. But when i change the securityconfig to then it works
public enum Role {
ADMIN,
STAFF,
USER;
}public enum Role {
ADMIN,
STAFF,
USER;
}and i'm trying to write the authorities etc and here is my config
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http
.csrf().disable()
.authorizeHttpRequests(request -> request
.requestMatchers("/api/v1/auth/**", "/ws/**").permitAll()
.requestMatchers("/api/v1/admin/**").hasAuthority("ADMIN")
.requestMatchers("/api/v1/staff/**").hasAuthority("STAFF")
.requestMatchers("/api/v1/user/**").hasAuthority("USER")
.requestMatchers("/api/v1/adminuser/**").hasAnyAuthority("ADMIN", "USER")
.requestMatchers("/api/v1/logs/**").hasAnyAuthority("STAFF", "ADMIN")
.anyRequest().authenticated()
)
.sessionManagement(session -> session
.sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED)
)
.authenticationProvider(authenticationProvider)
.addFilterBefore(new SessionAuthenticationFilter(userSessionService), UsernamePasswordAuthenticationFilter.class)
.logout(logout -> logout
.logoutUrl("/api/v1/auth/logout")
.addLogoutHandler(logoutService)
.logoutSuccessHandler((request, response, authentication) -> SecurityContextHolder.clearContext())
);
return http.build();
} @Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http
.csrf().disable()
.authorizeHttpRequests(request -> request
.requestMatchers("/api/v1/auth/**", "/ws/**").permitAll()
.requestMatchers("/api/v1/admin/**").hasAuthority("ADMIN")
.requestMatchers("/api/v1/staff/**").hasAuthority("STAFF")
.requestMatchers("/api/v1/user/**").hasAuthority("USER")
.requestMatchers("/api/v1/adminuser/**").hasAnyAuthority("ADMIN", "USER")
.requestMatchers("/api/v1/logs/**").hasAnyAuthority("STAFF", "ADMIN")
.anyRequest().authenticated()
)
.sessionManagement(session -> session
.sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED)
)
.authenticationProvider(authenticationProvider)
.addFilterBefore(new SessionAuthenticationFilter(userSessionService), UsernamePasswordAuthenticationFilter.class)
.logout(logout -> logout
.logoutUrl("/api/v1/auth/logout")
.addLogoutHandler(logoutService)
.logoutSuccessHandler((request, response, authentication) -> SecurityContextHolder.clearContext())
);
return http.build();
}but for some reason when i hit this endpoint that requries it to be ADMIN such as this endpoint
@RestController
@RequestMapping("/api/v1/admin")
@RequiredArgsConstructor
public class AdminController {
private final InvitationService invitationService;
@PostMapping("/invite")
@PreAuthorize("hasAuthority('ADMIN')")
public ResponseEntity<String> createInvitation(@RequestParam String email) throws MessagingException {
String response = invitationService.createInvitation(email);
return ResponseEntity.ok(response);
}@RestController
@RequestMapping("/api/v1/admin")
@RequiredArgsConstructor
public class AdminController {
private final InvitationService invitationService;
@PostMapping("/invite")
@PreAuthorize("hasAuthority('ADMIN')")
public ResponseEntity<String> createInvitation(@RequestParam String email) throws MessagingException {
String response = invitationService.createInvitation(email);
return ResponseEntity.ok(response);
}it doesnt let me even when i'm authenticated and have a session. But when i change the securityconfig
.requestMatchers("/api/v1/admin/**").hasAuthority("ADMIN").requestMatchers("/api/v1/admin/**").hasAuthority("ADMIN").requestMatchers("/api/v1/admin/**").permitAll().requestMatchers("/api/v1/admin/**").permitAll()