Spring Security - Access is denied (user is not anonymous) spring-security-core-4.0.3.RELEASE

Question

can anyone see an failure in this Spring Security Config File?

After Login the i get a debug message:

Access is denied (user is not anonymous)

Answer 1

try below code. it worked for me.

     http
    .csrf().disable()
    .authorizeRequests()

    .antMatchers("/login**", "/").permitAll()        
    .antMatchers("/user/**").access("hasAnyAuthority('USER')")
    .antMatchers("/admin/**").access("hasAnyAuthority('ADMIN')")

    .anyRequest().fullyAuthenticated()
        .and()
    .formLogin();

Answer 2

From the Spring Security documentation

anonymous() Specify that URLs are allowed by anonymous users.

---

Lets take a look at some of your code:

.and().authorizeRequests().antMatchers("/login").anonymous()

You are telling the system to allow only anonymous users (ROLE_ANONYMOUS) to be able to call the /login mapping.

When you login with your user, the user has another role and is not anonymous anymore. For this code example you should use permitAll().

Most likely you also want to use permitAll() on other request matchers and in your case I would also use only one mapping for /login--> formLogin().

Answer 3

This worked for me - hasAuthority("ROLE_USER")

Try with @RolesAllowed("USER") instead of @RolesAllowed("ROLE_USER"). Eventually you could use hasAuthority("ROLE_USER") or hasRole("USER") instead of hasRole("ROLE_USER") .

Answer 4

The solution is that the

img.img-rounded.img-responsive(alt='Avatar', src="#{_contextPath}#{profile.avatarPath}")

was wrong. After getting the right path it works for me.

Answer 5

Just setting this URL as ignored by security ?

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    public void configure(WebSecurity web) throws Exception {

    web.ignoring().antMatchers("/layouts/**", "/styles/**", "/spring/login");
    }
    ...