Video (m1-l3) shows incorrect order of authorization and authentication

Question

Video (m1-l3) shows incorrect order of authorization and authentication

jbenhamou opened this issue 9 years ago · 1 comments

Background

Deleting a user requires ROLE_ADMIN authority
From my experiments, it's vital to place authorization expression before authentication

Video Shows (m1-l3)

The video tutorial is showing the following code:

         http
                .authorizeRequests()
                .anyRequest().authenticated()
                .antMatchers("/delete/**").hasRole("ADMIN")

Which results in in the delete operation being permitted, when the goal of the lesson was to show it is being denied since the user has a USER role only.

Next Lesson Has (m1-l4)

The correct expression is:

         http
                .authorizeRequests()    
                .antMatchers("/delete/**").hasRole("ADMIN")
                .anyRequest().authenticated()

Answer 1 · 2016-05-16T15:00:32.000Z

Hey @jbenhamou - yes, that's a known issue in the m1-l3 video.
I've added an errata section to the lesson notes to clarify the problem and I'll re-record the lesson after launch.
Cheers and thanks for very useful feedback,
Eugen.