Spring Security - Access is denied (user is not anonymous) spring-security-core-4.0.3.RELEASE

From the Spring Security documentation

anonymous() Specify that URLs are allowed by anonymous users.

Lets take a look at some of your code:

.and().authorizeRequests().antMatchers("/login").anonymous()

You are telling the system to allow only anonymous users (ROLE_ANONYMOUS) to be able to call the /login mapping.

When you login with your user, the user has another role and is not anonymous anymore. For this code example you should use permitAll().

Most likely you also want to use permitAll() on other request matchers and in your case I would also use only one mapping for /login--> formLogin().

This worked for me - hasAuthority("ROLE_USER")

Try with @RolesAllowed("USER") instead of @RolesAllowed("ROLE_USER"). Eventually you could use hasAuthority("ROLE_USER") or hasRole("USER") instead of hasRole("ROLE_USER") .

Spring Security - Access is denied (user is not anonymous) spring-security-core-4.0.3.RELEASE

Tags:

Java

Security

Spring

Spring Mvc

Spring Security

Related

Recent Posts