Develop Reference

VS2019 No intellisense in Razor pages due RemoteInvocationException

Every time I enter in a razor Page (aspnet core 5 or prior) VS2019 raises this exception.
I don't know if this is the cause, but I don't have Intellisense in any part of a razor pages (eg. Model., #Html. or object.)
ALL THE EXTENSION ARE DISABLED, so not their fault....
Activity.xml Log has this error
Any Help ?
StreamJsonRpc.RemoteInvocationException: No method by the name 'textDocument/documentHighlight' is found.at StreamJsonRpc.JsonRpc.d__1331.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)at Microsoft.VisualStudio.LanguageServer.Client.JsonRpcExtensionMethods.<SendMethodRequestAsync>d__12.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)at Microsoft.VisualStudio.LanguageServer.Client.RemoteDocumentHighlightBroker.<>c__DisplayClass4_0.<g__DocumentHighlighRequest|0>d.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)at Microsoft.VisualStudio.LanguageServer.Client.StreamingRequestBroker3.<DoStreamingRequestAsync>d__5.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)at Microsoft.VisualStudio.Threading.ThreadingTools.<WithCancellationSlow>d__81.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)at Microsoft.VisualStudio.LanguageServer.Client.SynchronizationManager.d__51.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)at Microsoft.VisualStudio.LanguageServer.Client.DocumentHighlightTagger.<UpdateDocumentHighlightsAsync>d__25.MoveNext() --- End of stack trace from previous location where exception was thrown ---at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)at Microsoft.VisualStudio.Shell.VsTaskLibraryHelper.<>c__DisplayClass35_0.<<FileAndForget>b__0>d.MoveNext() --- End of stack trace from previous location where exception was thrown --- at Microsoft.VisualStudio.Telemetry.WindowsErrorReporting.WatsonReport.GetClrWatsonExceptionInfo(Exception exceptionObject) RPC server exception: StreamJsonRpc.RemoteMethodNotFoundException: No method by the name 'textDocument/documentHighlight' is found.at StreamJsonRpc.JsonRpc.<InvokeCoreAsync>d__1331.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)at Microsoft.VisualStudio.LanguageServer.Client.JsonRpcExtensionMethods.d__02.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)at Microsoft.VisualStudio.LanguageServer.Client.RemoteLanguageServiceBroker.<RequestAsync>d__304.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)at Microsoft.VisualStudio.Threading.ThreadingTools.<WithCancellationSlow>d__81.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)at Microsoft.VisualStudio.LanguageServer.Client.SynchronizationManager.d__51.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)at Microsoft.VisualStudio.LanguageServer.Client.RemoteLanguageServiceBroker.<RequestAsync>d__248.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)at Microsoft.VisualStudio.LanguageServer.ContainedLanguage.DefaultLSPRequestInvoker.<RequestServerCoreAsync>d__72.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)at System.Runtime.CompilerServices.TaskAwaiter.ValidateEnd(Task task)at Microsoft.VisualStudio.LanguageServerClient.Razor.HtmlCSharp.DocumentHighlightHandler.d__5.MoveNext()

SpringBoot Thymeleaf security authorization

I have problem with sec::authorize, it's, not working. I tried almost everything.
This is example from my project:
<div sec:authorize="isAuthenticated()">
<form action="logmeout" th:action="#{/logmeout}" method="post" id="form1"></form>
<button type="submit" form="form1" value="Submit">Wyloguj</button>
</div>
<div sec:authorize="isAnonymous()">
<form action="logmeout" th:action="#{/logmeout}" method="post" id="form2"></form>
<button type="submit" form="form2" value="Submit">Zaloguj</button>
</div>
Sec:authorize is always true and all forms are visible.
My pom file:
<properties>
<java.version>1.8</java.version>
</properties>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-data-jpa</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-thymeleaf</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-validation</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>mysql</groupId>
<artifactId>mysql-connector-java</artifactId>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-test</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>nz.net.ultraq.thymeleaf</groupId>
<artifactId>thymeleaf-layout-dialect</artifactId>
</dependency>
<dependency>
<groupId>org.thymeleaf.extras</groupId>
<artifactId>thymeleaf-extras-springsecurity3</artifactId>
<version>2.1.2.RELEASE</version>
</dependency>
<dependency>
<groupId>com.opencsv</groupId>
<artifactId>opencsv</artifactId>
<version>4.4</version>
</dependency>
</dependencies>
<build>
<finalName>springApp</finalName>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
</plugin>
</plugins>
</build>
</project>
And SecurityConfig:
#Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {
#Bean
public PasswordEncoder passwordEncoder() {
PasswordEncoder passwordEncoder = PasswordEncoderFactories.createDelegatingPasswordEncoder();
return passwordEncoder;
}
#Override
protected void configure(HttpSecurity http) throws Exception {
String[] staticResources = {
"/css/**",
"/img/**",
"/fonts/**",
"/scripts/**",
};
http
.authorizeRequests()
.antMatchers(staticResources).permitAll()
.antMatchers("/").permitAll()
.antMatchers("/register").permitAll()
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/loginform")
.permitAll()
.loginProcessingUrl("/processlogin")
.permitAll()
.usernameParameter("user")
.passwordParameter("pass")
.and()
.logout()
.logoutUrl("/logmeout")
.logoutSuccessUrl("/logoutservice")
.permitAll();
}
}
When I try add:
<div th:text="${#authentication.name}">
I see error Exception evaluating SpringEL expression: "#authentication.name" .
How can I handle with that?

Most of these cases are related with your dependencies and related versions. I am assuming yor spring-boot version is 2.1.X then you should be using the following dependency:
<dependency>
<groupId>org.thymeleaf.extras</groupId>
<artifactId>thymeleaf-extras-springsecurity5</artifactId>
</dependency>
This is also noted in this SO question.

Upgrade from 7.3.4 to 7.8.1 Umbraco - Umbraco.Web.Editors.ContentController - Unhandled controller exception occurred

Issue:
After upgrading Umbraco for a client, they can no longer create content. We upgraded them from 7.3.4 to 7.8.1:
https://our.umbraco.org/download/releases/compare?from=7.3.4&to=7.8.1#issuesTasks
The error being thrown on the front end is:
"Failed to retrieve data for empty content item type"
And back end log is:
2018-03-06 20:25:27,723 [P832/D2/T16] ERROR Umbraco.Web.Editors.ContentController - Unhandled controller exception occurred System.NullReferenceException: Object reference not set to an instance of an object. at Umbraco.Web.Security.WebSecurity.IsAuthenticated() at Umbraco.Web.Security.WebSecurity.ValidateCurrentUser(Boolean throwExceptions, Boolean requiresApproval) at Umbraco.Web.WebApi.UmbracoAuthorizedApiController.get_UmbracoUser() at Umbraco.Web.Editors.ContentController.GetEmpty(String contentTypeAlias, Int32 parentId) at lambda_method(Closure , Object , Object[] ) at System.Web.Http.Controllers.ReflectedHttpActionDescriptor.ActionExecutor.<>c__DisplayClass10.<GetExecutor>b__9(Object instance, Object[] methodParameters) at System.Web.Http.Controllers.ReflectedHttpActionDescriptor.ActionExecutor.Execute(Object instance, Object[] arguments) at System.Web.Http.Controllers.ReflectedHttpActionDescriptor.ExecuteAsync(HttpControllerContext controllerContext, IDictionary`2 arguments, CancellationToken cancellationToken)
--- End of stack trace from previous location where exception was thrown --- at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at System.Web.Http.Controllers.ApiControllerActionInvoker.<InvokeActionAsyncCore>d__0.MoveNext()
--- End of stack trace from previous location where exception was thrown --- at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at System.Web.Http.Filters.ActionFilterAttribute.<CallOnActionExecutedAsync>d__5.MoveNext()
--- End of stack trace from previous location where exception was thrown --- at System.Web.Http.Filters.ActionFilterAttribute.<CallOnActionExecutedAsync>d__5.MoveNext()
--- End of stack trace from previous location where exception was thrown --- at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at System.Web.Http.Filters.ActionFilterAttribute.<ExecuteActionFilterAsyncCore>d__0.MoveNext()
--- End of stack trace from previous location where exception was thrown --- at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at System.Web.Http.Filters.ActionFilterAttribute.<CallOnActionExecutedAsync>d__5.MoveNext()
--- End of stack trace from previous location where exception was thrown --- at System.Web.Http.Filters.ActionFilterAttribute.<CallOnActionExecutedAsync>d__5.MoveNext()
--- End of stack trace from previous location where exception was thrown --- at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at System.Web.Http.Filters.ActionFilterAttribute.<ExecuteActionFilterAsyncCore>d__0.MoveNext()
--- End of stack trace from previous location where exception was thrown --- at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at System.Web.Http.Filters.ActionFilterAttribute.<CallOnActionExecutedAsync>d__5.MoveNext()
--- End of stack trace from previous location where exception was thrown --- at System.Web.Http.Filters.ActionFilterAttribute.<CallOnActionExecutedAsync>d__5.MoveNext()
--- End of stack trace from previous location where exception was thrown --- at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at System.Web.Http.Filters.ActionFilterAttribute.<ExecuteActionFilterAsyncCore>d__0.MoveNext()
--- End of stack trace from previous location where exception was thrown --- at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at System.Web.Http.Filters.ActionFilterAttribute.<CallOnActionExecutedAsync>d__5.MoveNext()
--- End of stack trace from previous location where exception was thrown --- at System.Web.Http.Filters.ActionFilterAttribute.<CallOnActionExecutedAsync>d__5.MoveNext()
--- End of stack trace from previous location where exception was thrown --- at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at System.Web.Http.Filters.ActionFilterAttribute.<ExecuteActionFilterAsyncCore>d__0.MoveNext()
--- End of stack trace from previous location where exception was thrown --- at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at System.Web.Http.Filters.ActionFilterAttribute.<CallOnActionExecutedAsync>d__5.MoveNext()
--- End of stack trace from previous location where exception was thrown --- at System.Web.Http.Filters.ActionFilterAttribute.<CallOnActionExecutedAsync>d__5.MoveNext()
--- End of stack trace from previous location where exception was thrown --- at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at System.Web.Http.Filters.ActionFilterAttribute.<ExecuteActionFilterAsyncCore>d__0.MoveNext()
--- End of stack trace from previous location where exception was thrown --- at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at System.Web.Http.Filters.ActionFilterAttribute.<CallOnActionExecutedAsync>d__5.MoveNext()
--- End of stack trace from previous location where exception was thrown --- at System.Web.Http.Filters.ActionFilterAttribute.<CallOnActionExecutedAsync>d__5.MoveNext()
--- End of stack trace from previous location where exception was thrown --- at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at System.Web.Http.Filters.ActionFilterAttribute.<ExecuteActionFilterAsyncCore>d__0.MoveNext()
--- End of stack trace from previous location where exception was thrown --- at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at System.Web.Http.Filters.ActionFilterAttribute.<CallOnActionExecutedAsync>d__5.MoveNext()
--- End of stack trace from previous location where exception was thrown --- at System.Web.Http.Filters.ActionFilterAttribute.<CallOnActionExecutedAsync>d__5.MoveNext()
--- End of stack trace from previous location where exception was thrown --- at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at System.Web.Http.Filters.ActionFilterAttribute.<ExecuteActionFilterAsyncCore>d__0.MoveNext()
--- End of stack trace from previous location where exception was thrown --- at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at System.Web.Http.Controllers.ActionFilterResult.<ExecuteAsync>d__2.MoveNext()
--- End of stack trace from previous location where exception was thrown --- at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at System.Web.Http.Filters.AuthorizationFilterAttribute.<ExecuteAuthorizationFilterAsyncCore>d__2.MoveNext()
--- End of stack trace from previous location where exception was thrown --- at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at System.Web.Http.Filters.AuthorizationFilterAttribute.<ExecuteAuthorizationFilterAsyncCore>d__2.MoveNext()
--- End of stack trace from previous location where exception was thrown --- at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at System.Web.Http.Filters.AuthorizationFilterAttribute.<ExecuteAuthorizationFilterAsyncCore>d__2.MoveNext()
--- End of stack trace from previous location where exception was thrown --- at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at System.Web.Http.Filters.AuthorizationFilterAttribute.<ExecuteAuthorizationFilterAsyncCore>d__2.MoveNext()
--- End of stack trace from previous location where exception was thrown --- at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at System.Web.Http.Controllers.ExceptionFilterResult.<ExecuteAsync>d__0.MoveNext()
Any ideas what needs to be done?
Notes:
https://github.com/umbraco/Umbraco-CMS/blob/7ee510ed386495120666a78c61497f58ff05de8f/src/Umbraco.Web/Security/WebSecurity.cs
I debugged umbraco and this is where it's stopping:
I seem to have an http context on loading the nodes just fine, it's only when i go to create content of any type.
I wonder if this is relevant?
public class UnityConfig
{
private static Lazy<IUnityContainer> container = new Lazy<IUnityContainer>(() =>
{
var container = new UnityContainer();
RegisterTypes(container);
return container;
});
public static IUnityContainer GetConfiguredContainer()
{
return container.Value;
}
public static void RegisterTypes(IUnityContainer container)
{
container.RegisterType<UmbracoContext>(
new HierarchicalLifetimeManager(),
new InjectionFactory(c => UmbracoContext.Current));
container.RegisterType<HealthCheckController>(new InjectionConstructor());
container.RegisterType<UserTreeController>(new InjectionConstructor());
container.RegisterType<Umbraco.Web.Editors.UsersController>(new InjectionConstructor());
container.RegisterType<LegacyTreeController>(new InjectionConstructor());
container.RegisterType<IUnitOfWork, UmbracoUnitOfWork>();
container.RegisterType<IServices, UmbracoServices>();
}
}
or this:
public class UmbracoWebAPIHttpControllerActivator : IHttpControllerActivator
{
private readonly DefaultHttpControllerActivator defaultHttpControllerActivator;
public UmbracoWebAPIHttpControllerActivator()
{
this.defaultHttpControllerActivator = new DefaultHttpControllerActivator();
}
public IHttpController Create(HttpRequestMessage request, HttpControllerDescriptor controllerDescriptor, Type controllerType)
{
if (this.IsUmbracoController(controllerType))
{
return Activator.CreateInstance(controllerType) as IHttpController;
}
return this.defaultHttpControllerActivator.Create(request, controllerDescriptor, controllerType);
}
private bool IsUmbracoController(Type controllerType)
{
return controllerType.Namespace != null
&& (!controllerType.Namespace.StartsWith("test", StringComparison.InvariantCultureIgnoreCase));
}
}

My unity container registration:
container.RegisterType<UmbracoContext>(
new HierarchicalLifetimeManager(),
new InjectionFactory(c => UmbracoContext.Current));
needed to be:
container.RegisterType<UmbracoContext>(
new TransientLifetimeManager(),
new InjectionFactory(c => UmbracoContext.Current));
https://msdn.microsoft.com/en-us/library/ff660872%28v=pandp.20%29.aspx?f=255&MSPPError=-2147217396

spring-boot restricted url

Good day,
I have a spring-boot 1.1.4.RELEASE app,that is using spring-security included as dependencies such as:
compile("org.springframework.boot:spring-boot-starter-security")
compile("org.springframework.security:spring-security-web:4.0.0.M1")
compile("org.springframework.security:spring-security-config:4.0.0.M1")
compile('org.thymeleaf.extras:thymeleaf-extras-springsecurity3:2.1.1.RELEASE')
I have two types of roles: "User" and "Admin". The latter has everything the former, but also access to an administration screen. In my Thymeleaf page, I only display that link to users with an Admin role via, which works just fine:
<li sec:authorize="hasRole('ADMIN')">
<i class="fa fa-link"></i><a th:href="#{/admin}">
Administer User</a>
</li>
However, if I manually type in the url to that page (http://localhost:9001/admin), all roles can access it. I thought i was controlling this via the Security Configuration class:
#Configuration
#EnableWebMvcSecurity
public class ApplicationSecurity extends WebSecurityConfigurerAdapter {
#Autowired
private CustomUserDetailsService customUserDetailsService;
#Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers( "/" ).permitAll()
.antMatchers("/admin/").hasRole("ADMIN") <== also tried .antMatchers("/admin/**").hasRole("ADMIN")
.antMatchers( "/resources/**" ).permitAll()
.antMatchers( "/css/**" ).permitAll()
.antMatchers( "/libs/**" ).permitAll();
http
.formLogin().failureUrl( "/login?error" )
.defaultSuccessUrl( "/" )
.loginPage( "/login" )
.permitAll()
.and()
.logout().logoutRequestMatcher( new AntPathRequestMatcher( "/logout" ) ).logoutSuccessUrl( "/" )
.permitAll();
http
.sessionManagement()
.maximumSessions( 1 )
.expiredUrl( "/login?expired" )
.maxSessionsPreventsLogin( true )
.and()
.sessionCreationPolicy( SessionCreationPolicy.IF_REQUIRED )
.invalidSessionUrl( "/" );
http
.authorizeRequests().anyRequest().authenticated();
}
#Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
PasswordEncoder encoder = new BCryptPasswordEncoder();
auth.userDetailsService( customUserDetailsService ).passwordEncoder( encoder );
}
}
Is there something missing or incorrect in my configuration?
Update:
The solution I used, based upon Dave's answer was to use the following three lines:
.antMatchers( "/admin**" ).hasAuthority("ADMIN" )
.antMatchers( "/admin/" ).hasAuthority( "ADMIN" )
.antMatchers( "/admin/**" ).hasAuthority( "ADMIN" )
This will render a 403 error on the browser. Eventually I will try and get it to redirect to either an error page or "/'.

You only explicitly protected "/admin/" (with a trailing slash). I imagine you need to be more precise than that if you are visiting "/admin" (without a trailing slash).

Difficulty upgrading to Spring Security 3.2 using Java Config to remove the ROLE_ prefix

I am having some difficulty in upgrading to Spring Security 3.2 using Java Config around customizing the RoleVoter to remove the ROLE_ prefix. Specifically, I have this from the original XML:
<!-- Decision Manager and Role Voter -->
<bean id="accessDecisionManager"
class="org.springframework.security.access.vote.AffirmativeBased">
<property name="allowIfAllAbstainDecisions">
<value>false</value>
</property>
<property name="decisionVoters">
<list>
<ref local="roleVoter" />
</list>
</property>
</bean>
<bean id="roleVoter" class="org.springframework.security.access.vote.RoleVoter">
<property name="rolePrefix">
<value />
</property>
</bean>
I have tried to do create the similar configuration in my #Configuration object as such
#Bean
public RoleVoter roleVoter() {
RoleVoter roleVoter = new RoleVoter();
roleVoter.setRolePrefix("");
return roleVoter;
}
#Bean
public AffirmativeBased accessDecisionManager() {
AffirmativeBased affirmativeBased = new AffirmativeBased(Arrays.asList((AccessDecisionVoter)roleVoter()));
affirmativeBased.setAllowIfAllAbstainDecisions(false);
return affirmativeBased;
}
...
#Override
protected void configure(HttpSecurity http) throws Exception
{
http
.authorizeRequests()
.accessDecisionManager(accessDecisionManager())
.antMatchers("/protected/**").hasRole("my-authenticated-user")
.anyRequest().authenticated()
.and()
.formLogin()
.permitAll()
.and()
.logout()
.permitAll();
}
This is where I am now having difficulty, I end up with an exception in the log that look like this:
Caused by: java.lang.IllegalArgumentException: Unsupported configuration attributes: [permitAll, hasRole('ROLE_my-authenticated-user'), permitAll, authenticated, permitAll, permitAll, permitAll]
at org.springframework.security.access.intercept.AbstractSecurityInterceptor.afterPropertiesSet(AbstractSecurityInterceptor.java:156) ~[spring-security-core-3.2.0.RELEASE.jar:3.2.0.RELEASE]
at org.springframework.security.config.annotation.web.configurers.AbstractInterceptUrlConfigurer.createFilterSecurityInterceptor(AbstractInterceptUrlConfigurer.java:187) ~[spring-security-config-3.2.0.RELEASE.jar:3.2.0.RELEASE]
at org.springframework.security.config.annotation.web.configurers.AbstractInterceptUrlConfigurer.configure(AbstractInterceptUrlConfigurer.java:76) ~[spring-security-config-3.2.0.RELEASE.jar:3.2.0.RELEASE]
at org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer.configure(ExpressionUrlAuthorizationConfigurer.java:70) ~[spring-security-config-3.2.0.RELEASE.jar:3.2.0.RELEASE]
at org.springframework.security.config.annotation.web.configurers.AbstractInterceptUrlConfigurer.configure(AbstractInterceptUrlConfigurer.java:64) ~[spring-security-config-3.2.0.RELEASE.jar:3.2.0.RELEASE]
at org.springframework.security.config.annotation.AbstractConfiguredSecurityBuilder.configure(AbstractConfiguredSecurityBuilder.java:378) ~[spring-security-config-3.2.0.RELEASE.jar:3.2.0.RELEASE]
at org.springframework.security.config.annotation.AbstractConfiguredSecurityBuilder.doBuild(AbstractConfiguredSecurityBuilder.java:327) ~[spring-security-config-3.2.0.RELEASE.jar:3.2.0.RELEASE]
at org.springframework.security.config.annotation.AbstractSecurityBuilder.build(AbstractSecurityBuilder.java:39) ~[spring-security-config-3.2.0.RELEASE.jar:3.2.0.RELEASE]
at org.springframework.security.config.annotation.web.builders.WebSecurity.performBuild(WebSecurity.java:293) ~[spring-security-config-3.2.0.RELEASE.jar:3.2.0.RELEASE]
at org.springframework.security.config.annotation.web.builders.WebSecurity.performBuild(WebSecurity.java:74) ~[spring-security-config-3.2.0.RELEASE.jar:3.2.0.RELEASE]
at org.springframework.security.config.annotation.AbstractConfiguredSecurityBuilder.doBuild(AbstractConfiguredSecurityBuilder.java:331) ~[spring-security-config-3.2.0.RELEASE.jar:3.2.0.RELEASE]
at org.springframework.security.config.annotation.AbstractSecurityBuilder.build(AbstractSecurityBuilder.java:39) ~[spring-security-config-3.2.0.RELEASE.jar:3.2.0.RELEASE]
at org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration.springSecurityFilterChain(WebSecurityConfiguration.java:92) ~[spring-security-config-3.2.0.RELEASE.jar:3.2.0.RELEASE]
at org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration$$EnhancerByCGLIB$$a7068b50.CGLIB$springSecurityFilterChain$3(<generated>) ~[spring-core-3.2.4.RELEASE.jar:3.2.0.RELEASE]
at org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration$$EnhancerByCGLIB$$a7068b50$$FastClassByCGLIB$$a17f24f9.invoke(<generated>) ~[spring-core-3.2.4.RELEASE.jar:3.2.0.RELEASE]
at org.springframework.cglib.proxy.MethodProxy.invokeSuper(MethodProxy.java:228) ~[spring-core-3.2.4.RELEASE.jar:3.2.4.RELEASE]
at org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:286) ~[spring-context-3.2.4.RELEASE.jar:3.2.4.RELEASE]
at org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration$$EnhancerByCGLIB$$a7068b50.springSecurityFilterChain(<generated>) ~[spring-core-3.2.4.RELEASE.jar:3.2.0.RELEASE]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:1.7.0_25]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) ~[na:1.7.0_25]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:1.7.0_25]
at java.lang.reflect.Method.invoke(Method.java:606) ~[na:1.7.0_25]
at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:160) ~[spring-beans-3.2.4.RELEASE.jar:3.2.4.RELEASE]
... 60 common frames omitted
At this point, I am not sure where the ROLE_ is coming from if the RoleVoter is properly configured.

For the _ROLE part you have to use hasAnyAuthority(..) instead of hasAnyRole(..)
From the JavaDoc
If you do not want to have "ROLE_" automatically inserted see
hasAnyAuthority(String)