I have this code in my Web Security Config:
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/api/**")
.hasRole("ADMIN")
.and()
.httpBasic().and().csrf().disable();
}
So I added an user with "ADMIN" role in my database and I always get 403 error when I tryed loggin with this user, then I enabled log for spring and I found this line:
2015-10-18 23:13:24.112 DEBUG 4899 --- [nio-8080-exec-1] o.s.s.w.a.i.FilterSecurityInterceptor : Secure object: FilterInvocation: URL: /api/user/login; Attributes: [hasRole('ROLE_ADMIN')]
Why Spring Security is looking for "ROLE_ADMIN" instead "ADMIN"?
Spring security adds the prefix "ROLE_" by default.
If you want this removed or changed, take a look at
How to change role from interceptor-url?
EDIT: found this as well: Spring Security remove RoleVoter prefix