`EnableWebSecurity` will provide configuration via [HttpSecurity][1]. It&#39;s the configuration you could find with `&lt;http&gt;&lt;/http&gt;` tag in xml configuration, it allows you to configure your access based on urls patterns, the authentication endpoints, handlers etc...

`EnableGlobalMethodSecurity` provides AOP security on methods. Some of the annotations that it provides are `PreAuthorize`, `PostAuthorize`. It also has support for [JSR-250][2]. [There are more parameters in the configuration for you][3]

For your needs, it&#39;s better to mix the two. With REST you can achieve everything you need only by using `@EnableWebSecurity` since `HttpSecurity#antMatchers(HttpMethod,String...)` accepts control over Http methods

  [1]: http://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#jc-httpsecurity
  [2]: http://en.wikipedia.org/wiki/JSR_250
  [3]: http://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#method-security-expressions

I&#39;m currently using a text input to filter a list of items. I&#39;d like to make it so when a particular variable is set, the list doesn&#39;t filter, regardless of what the text input is. Any advice on how I can accomplish this?

	&lt;a ng-repeat=&quot;set in data | filter: { value: search }&quot; data-id=&quot;{{set.id}}&quot; ng-mousedown=&quot;setBox(set)&quot; ng-mouseover=&quot;setSelected(set, $event)&quot; ng-bind-html=&quot;set.value | trustHTML&quot;&gt;&lt;/a&gt;


Making an angular filter conditional

I am trying to apply `_pickle` to save data onto disk. But when calling `_pickle.dump`, I got an error
    
    OverflowError: cannot serialize a bytes object larger than 4 GiB

Is this a hard limitation to use `_pickle`? (`cPickle` for python2)

_pickle in python3 doesn&#39;t work for large data saving

I am developing a REST API using Spring 4. I would like to secure some of the endpoints using Spring Security, but based on what I&#39;ve read this can be done with either `@EnableGlobalMethodSecurity` or `@EnableWebSecurity`. Unfortunately, the documentation that I have found for these don&#39;t clearly explain what they do (or how they compare). If I want to secure a Spring REST API with authentication and authorization based on data and relationships declared in a standard relational database, what is the recommended method for achieving this in Spring 4?

@EnableGlobalMethodSecurity vs @EnableWebSecurity

<p>I am developing a REST API using Spring 4. I would like to secure some of the endpoints using Spring Security, but based on what I've read this can be done with either <code>@EnableGlobalMethodSecurity</code> or <code>@EnableWebSecurity</code>. Unfortunately, the documentation that I have found for these don't clearly explain what they do (or how they compare). If I want to secure a Spring REST API with authentication and authorization based on data and relationships declared in a standard relational database, what is the recommended method for achieving this in Spring 4?</p>


I am studying for the Spring Core certification an I have some doubts about how Spring handle the **beans lifecycle** and in particular about the **bean post processor**.

So I have this schema:

![enter image description here][1]


It is pretty clear for me what it means:

The following steps take place in the **Load Bean Definitions** phase:

 - The **@Configuration** classes are processed and/or **@Components** are
   scanned for and/or **XML files** are parsed.

 - Bean definitions added to BeanFactory (each indexed under its id)

 - Special **BeanFactoryPostProcessor** beans invoked, it can modify the definition of any bean (for example for the property-placeholder values replacements).

Then the following steps take place in the **beans creation phase**:

 - Each bean is eagerly instantiated by default (created in right order with its dependencies injected).

 - After dependency injection each bean goes through a post-processing
   phase in which further configuration and initialization may occur.

 - After post processing the bean is fully initialized and ready for use (tracked by its id until the context is destroyed)

Ok, this is pretty clear for me and I also know that **there are two types of bean post processors** which are:

 - **Initializers:** Initialize the bean if instructed (i.e. @PostConstruct).

 - and **All the rest:** that allow for additional configuration and that **may run before or after the initialize step**

And I post this slide:

![enter image description here][2]

So it is very clear for me what does the **initializers** bean post processors (they are the methods annotated with **@PostContruct** annotation and that are automatically called immediately after the setter methods (so after the dependency injection), and I know that I can use to perform some initialization batch (as populate a cache as in the previous example).

But what exactly represents the other bean post processor? What do we mean when we say that these steps are performed **before or after the initialization phase**?

So my beans are instantiated and its dependencies are injected, so then the initialization phase is completed (by the execution of a **@PostContruct** annotated method). What do we mean by saying that a Bean Post Processor is used before the initialization phase? It means that it happens before the **@PostContruct** annotated method execution? Does it means that it could happen before the dependency injection (before that the setter methods are called)?

And what exactly do we mean when we say that it is performed **after the initialization step**. It means that it happens after that the execution of a **@PostContruct** annotated method, or what?

I can easily figure into my head why I need a **@PostContruct** annotated method but I can&#39;t figure some typical example of the other kind of bean post processor, can you show me some typical example of when are used?



  [1]: http://i.stack.imgur.com/gL8Ky.jpg
  [2]: http://i.stack.imgur.com/YKAZH.jpg

How exactly does the Spring BeanPostProcessor work?

I&#39;m trying to add a jsp page in my Spring Boot service. My problem is that every time I try to go to that page I have this:

&gt; Whitelabel Error Page
&gt; 
&gt; This application has no explicit mapping for /error, so you are seeing
&gt; this as a fallback.
&gt; 
&gt; Tue Apr 21 23:16:00 EEST 2015 There was an unexpected error (type=Not
&gt; Found, status=404). No message available

I have added the prefix and sufix into my application.properties:

    spring.view.prefix: /WEB-INF/jsp/
    spring.view.suffix: .jsp

This is my controller class:

    @Controller
    public class MarkerController {
    	@RequestMapping(value=&quot;/map&quot;)
    	public String trafficSpy() {
    		return &quot;index&quot;;
    	}
    }

My Application class:

    @SpringBootApplication
    public class Application extends SpringBootServletInitializer {
    	private static Logger logger = Logger.getLogger(Application.class.getName());
    		
    	public static void main(String[] args) {
    		 	logger.info(&quot;SPRING VERSION: &quot; + SpringVersion.getVersion());
    	        SpringApplication.run(Application.class, args);
    	    }
    }

And the index.jsp:

    &lt;!DOCTYPE html&gt;
    &lt;%@ taglib prefix=&quot;c&quot; uri=&quot;http://java.sun.com/jsp/jstl/core&quot;%&gt;
    &lt;html lang=&quot;en&quot;&gt;
    
    &lt;body&gt;
        &lt;h1&gt;Hello, World!!!&lt;/h1&gt;
    
    
        &lt;p&gt;JSTL URL: ${url}&lt;/p&gt;
    &lt;/body&gt;
    
    &lt;/html&gt;

And this is the src file structure:

    ├── src
    │&#160;&#160; ├── main
    │&#160;&#160; │&#160;&#160; ├── java
    │&#160;&#160; │&#160;&#160; │&#160;&#160; └── com
    │&#160;&#160; │&#160;&#160; │&#160;&#160;     └── example
    │&#160;&#160; │&#160;&#160; │&#160;&#160;         └── internetprogramming
    │&#160;&#160; │&#160;&#160; │&#160;&#160;             └── myserver
    │&#160;&#160; │&#160;&#160; │&#160;&#160;                 └── server
    │&#160;&#160; │&#160;&#160; │&#160;&#160;                     ├── Application.java
    │&#160;&#160; │&#160;&#160; │&#160;&#160;                     ├── config
    │&#160;&#160; │&#160;&#160; │&#160;&#160;                     │&#160;&#160; └── DatabaseConfig.java
    │&#160;&#160; │&#160;&#160; │&#160;&#160;                     ├── controller
    │&#160;&#160; │&#160;&#160; │&#160;&#160;                     │&#160;&#160; └── MarkerController.java
    │&#160;&#160; │&#160;&#160; │&#160;&#160;                     ├── dao
    │&#160;&#160; │&#160;&#160; │&#160;&#160;                     │&#160;&#160; ├── MarkerDaoImplementation.java
    │&#160;&#160; │&#160;&#160; │&#160;&#160;                     │&#160;&#160; └── MarkerDaoInterface.java
    │&#160;&#160; │&#160;&#160; │&#160;&#160;                     ├── Marker.java
    │&#160;&#160; │&#160;&#160; │&#160;&#160;                     └── service
    │&#160;&#160; │&#160;&#160; │&#160;&#160;                         ├── MarkerServiceImplementation.java
    │&#160;&#160; │&#160;&#160; │&#160;&#160;                         └── MarkerServiceInterface.java
    │&#160;&#160; │&#160;&#160; ├── resources
    │&#160;&#160; │&#160;&#160; │&#160;&#160; └── application.properties
    │&#160;&#160; │&#160;&#160; └── webapp
    │&#160;&#160; │&#160;&#160;     └── WEB-INF
    │&#160;&#160; │&#160;&#160;         └── jsp
    │&#160;&#160; │&#160;&#160;             └── index.jsp



Spring Boot JSP 404

I&#39;m using `spring-boot` and `@Scheduled` annotation to execute some tasks.

How can I find out what the default pool size of scheduled tasks is by default in spring-boot?

Reason: the following class does not execute the jobs in parallel, but one after the other. Maybe only a single thread executor is configured by default?

    @Service
    public class ZipFileTesterAsync {
    
        @Scheduled(fixedDelay = 60000, initialDelay = 500)
    	public void run() throws Exception {
        	System.out.println(&quot;import 1&quot;);
    	    TimeUnit.MINUTES.sleep(1);
    	    System.out.println(&quot;import 1 finished&quot;);
        }
        
        @Scheduled(fixedDelay = 60000, initialDelay = 1000)
    	public void run2() throws Exception {
        	System.out.println(&quot;import 2&quot;);
    	    TimeUnit.MINUTES.sleep(1);
        }
    }

Result: the 2nd job is executed after the first finished.


What is the default scheduler pool size in spring-boot?

I&#39;ve been working on a Spring/Spring MVC application and I&#39;m looking to add performance metrics. I&#39;ve come across Spring Boot Actuator and it looks like a great solution. However my application is not a Spring Boot application. My application is running in a traditional container Tomcat 8.

I added the following dependencies

    // Spring Actuator
    compile &quot;org.springframework.boot:spring-boot-starter-actuator:1.2.3.RELEASE&quot;

I created the following config class.

    @EnableConfigurationProperties
    @Configuration
    @EnableAutoConfiguration
    @Profile(value = {&quot;dev&quot;, &quot;test&quot;})
    @Import(EndpointAutoConfiguration.class)
    public class SpringActuatorConfig {
    
    }

I even went as far as adding `@EnableConfigurationProperties` on every configuration class as suggested on another post on StackOverflow. However that didn&#39;t do anything. The endpoints are still not being created and return 404s.

Spring Boot Actuator without Spring Boot

Given a &quot;standard&quot; spring boot application with a `@RestController`, eg

    @RestController
    @RequestMapping(value = &quot;foo&quot;, produces = &quot;application/json;charset=UTF-8&quot;)
    public class MyController {
        @RequestMapping(value = &quot;bar&quot;)
        public ResponseEntity&lt;String&gt; bar(
            return new ResponseEntity&lt;&gt;(&quot;Hello world&quot;, HttpStatus.OK);
        }
    }

Is there an annotation or technique that prevents the endpoint from starting *at all* if/unless a certain application property exists/doesn&#39;t exist.

Note: Testing a property inside the method and exploding is not a solution, because the endpoint will exist.

I don&#39;t care about the granularity: ie enabling/disabling just a method or the whole class are both fine.

---

Because a profile is not a property, control via profiles does not solve my problem.


Can a spring boot @RestController be enabled/disabled using properties?

I&#39;ve been reading up on versioning strategies for ReST APIs, and something none of them appear to address is how you manage the underlying codebase.

Let&#39;s say we&#39;re making a bunch of breaking changes to an API - for example, changing our Customer resource so that it returns separate `forename` and `surname` fields instead of a single `name` field. (For this example, I&#39;ll use the URL versioning solution since it&#39;s easy to understand the concepts involved, but the question is equally applicable to content negotiation or custom HTTP headers)

We now have an endpoint at `http://api.mycompany.com/v1/customers/{id}`, and another incompatible endpoint at `http://api.mycompany.com/v2/customers/{id}`. We are still releasing bugfixes and security updates to the v1 API, but new feature development is now all focusing on v2. How do we write, test and deploy changes to our API server? I can see at least two solutions:

- Use a source control branch/tag for the v1 codebase. v1 and v2 are developed, and deployed independently, with revision control merges used as necessary to apply the same bugfix to both versions - similar to how you&#39;d manage codebases for native apps when developing a major new version whilst still supporting the previous version. 

- Make the codebase itself aware of the API versions, so you end up with a single codebase that includes both the v1 customer representation and the v2 customer representation. Treat versioning as part of your solution architecture instead of a deployment issue - probably using some combination of namespaces and routing to make sure requests are handled by the correct version.

The obvious advantage of the branch model is that it&#39;s trivial to delete old API versions - just stop deploying the appropriate branch/tag - but if you&#39;re running several versions, you could end up with a really convoluted branch structure and deployment pipeline. The &quot;unified codebase&quot; model avoids this problem, but (I think?) would make it much harder to remove deprecated resources and endpoints from the codebase when they&#39;re no longer required. I know this is probably subjective since there&#39;s unlikely to be a simple correct answer, but I&#39;m curious to understand how organisations who maintain complex APIs across multiple versions are solving this problem. 





How do you manage the underlying codebase for a versioned API?

I am currently working on a project that requires the client requesting a big job and sending it to the server. Then the server divides up the job and responds with an array of urls for the client to make a GET call on and stream back the data. I am the greenhorn on the project and I am currently using Spring websockets to improve efficiency. Instead of the clients constantly pinging the server to see if it has results ready to stream back, the websocket will now just directly contact the client hooray!

Would it be a bad idea to have websockets manage the whole process from end to end? I am using STOMP with Spring websockets, will there still be major issues with ditching REST?

What are the pitfalls of using Websockets in place of RESTful HTTP?

Let&#39;s say we have a User, Wallet REST microservices and an API gateway that glues things together. When Bob registers on our website, our API gateway needs to create a user through the User microservice and a wallet through the Wallet microservice. 

Now here are a few scenarios where things could go wrong:

- User Bob creation fails: that&#39;s OK, we just return an error message to the Bob. We&#39;re using SQL transactions so no one ever saw Bob in the system. Everything&#39;s good :)

- User Bob is created but before our Wallet can be created, our API gateway hard crashes. We now have a User with no wallet (inconsistent data).

- User Bob is created and as we are creating the Wallet, the HTTP connection drops. The wallet creation might have succeeded or it might have not.

What solutions are available to prevent this kind of data inconsistency from happening? Are there patterns that allow transactions to span multiple REST requests? I&#39;ve read the Wikipedia page on [Two-phase commit](http://en.wikipedia.org/wiki/Two-phase_commit_protocol) which seems to touch on this issue but I&#39;m not sure how to apply it in practice. This [Atomic Distributed Transactions: a RESTful design](http://ws-rest.org/2014/sites/default/files/wsrest2014_submission_7.pdf) paper also seems interesting although I haven&#39;t read it yet.

Alternatively, I know REST might just not be suited for this use case. Would perhaps the correct way to handle this situation to drop REST entirely and use a different communication protocol like a message queue system? Or should I enforce consistency in my application code (for example, by having a background job that detects inconsistencies and fixes them or by having a &quot;state&quot; attribute on my User model with &quot;creating&quot;, &quot;created&quot; values, etc.)?

Transactions across REST microservices?

I&#39;m trying to learn django so while I have a current solution I&#39;m not sure if it follows best practices in django. I would like to display information from a web api on my website. Let&#39;s say the api url is as follows:

    http://api.example.com/books?author=edwards&amp;year=2009

Thsis would return a list of books by Edwards written in the year 2009. Returned in the following format:

    {&#39;results&#39;:
                 [
                    {
                       &#39;title&#39;:&#39;Book 1&#39;,
                       &#39;Author&#39;:&#39;Edwards Man&#39;,
                       &#39;Year&#39;:2009
                    },
                    {
                       &#39;title&#39;:&#39;Book 2&#39;,
                       &#39;Author&#39;:&#39;Edwards Man&#39;,
                       &#39;Year&#39;:2009}
               ]
    }

Currently I am consuming the API in my views file as follows:

    class BooksPage(generic.TemplateView):
        def get(self,request):
            r = requests.get(&#39;http://api.example.com/books?author=edwards&amp;year=2009&#39;)
            books = r.json()
            books_list = {&#39;books&#39;:books[&#39;results&#39;]}
            return render(request,&#39;books.html&#39;,books_list)

Normally, we grab data from the database in the models.py file, but I am unsure if I should be grabbing this API data in models.py or views.py. If it should be in models.py, can someone provide an example of how to do this? I wrote the above example sepecifically for stackoverflow, so any bugs are purely a result of writing it here.
    

Proper way to consume data from RESTFUL API in django

I have heard both &quot;resource&quot; and &quot;endpoint&quot; to refer to the same thing. It seems that resource is a newer term.

What is the difference between them? Does &quot;resource&quot; imply a RESTful design?

What is the difference between resource and endpoint?

I have come across a glance of code which uses `@Order` annotation. I want to know what is the use of this annotation with respect to Spring Security or Spring MVC.

Here is an example:

&lt;!-- language: lang-java&gt;

    @Order(1)
    public class StatelessAuthenticationSecurityConfig extends WebSecurityConfigurerAdapter {
    
    	@Autowired
    	private UserDetailsService userDetailsService;
    
    	@Autowired
    	private TokenAuthenticationService tokenAuthenticationService;

    }

What happen to the order of above mentioned class if we do not use this annotation?

What is the use of @Order annotation in Spring?

I am using stateless spring security,but in case of signup i want to disable spring security.I disabled  using 

    antMatchers(&quot;/api/v1/signup&quot;).permitAll().

but it is not working,i am getting error below: 

     message=An Authentication object was not found in the SecurityContext, type=org.springframework.security.authentication.AuthenticationCredentialsNotFoundException

I think this means spring security filters are working

My url&#39;s order always will be &quot;/api/v1&quot;

My spring config is

    @Override
        protected void configure(HttpSecurity http) throws Exception {
    
        	 http.
             csrf().disable().
             sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).
             and().
             authorizeRequests().
             antMatchers(&quot;/api/v1/signup&quot;).permitAll().
             anyRequest().authenticated().
             and().
             anonymous().disable();
            http.addFilterBefore(new AuthenticationFilter(authenticationManager()), BasicAuthenticationFilter.class);
        }

My authentication filter is

    @Override
        public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
            HttpServletRequest httpRequest = asHttp(request);
            HttpServletResponse httpResponse = asHttp(response);
            
            String username = httpRequest.getHeader(&quot;X-Auth-Username&quot;);
            String password = httpRequest.getHeader(&quot;X-Auth-Password&quot;);
            String token = httpRequest.getHeader(&quot;X-Auth-Token&quot;);
             
            String resourcePath = new UrlPathHelper().getPathWithinApplication(httpRequest);
    
            try {
            	
                if (postToAuthenticate(httpRequest, resourcePath)) {            
                    processUsernamePasswordAuthentication(httpResponse, username, password);
                    return;
                }
                
                if(token != null){
                	processTokenAuthentication(token);
                }
                chain.doFilter(request, response);
            } catch (InternalAuthenticationServiceException internalAuthenticationServiceException) {
                SecurityContextHolder.clearContext();
                logger.error(&quot;Internal authentication service exception&quot;, internalAuthenticationServiceException);
                httpResponse.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
            } catch (AuthenticationException authenticationException) {
                SecurityContextHolder.clearContext();
                httpResponse.sendError(HttpServletResponse.SC_UNAUTHORIZED, authenticationException.getMessage());
            } finally {
            }
        }
    	
    	 private HttpServletRequest asHttp(ServletRequest request) {
    	        return (HttpServletRequest) request;
    	    }
    
    	    private HttpServletResponse asHttp(ServletResponse response) {
    	        return (HttpServletResponse) response;
    	    }
    	    
    	    private boolean postToAuthenticate(HttpServletRequest httpRequest, String resourcePath) {
    	        return Constant.AUTHENTICATE_URL.equalsIgnoreCase(resourcePath) &amp;&amp; httpRequest.getMethod().equals(&quot;POST&quot;);
    	    }
    
    	    private void processUsernamePasswordAuthentication(HttpServletResponse httpResponse,String username, String password) throws IOException {
    	        Authentication resultOfAuthentication = tryToAuthenticateWithUsernameAndPassword(username, password);
    	        SecurityContextHolder.getContext().setAuthentication(resultOfAuthentication);
    	        httpResponse.setStatus(HttpServletResponse.SC_OK);
    	        httpResponse.addHeader(&quot;Content-Type&quot;, &quot;application/json&quot;);
    	        httpResponse.addHeader(&quot;X-Auth-Token&quot;, resultOfAuthentication.getDetails().toString());
    	    }
    
    	    private Authentication tryToAuthenticateWithUsernameAndPassword(String username,String password) {
    	        UsernamePasswordAuthenticationToken requestAuthentication = new UsernamePasswordAuthenticationToken(username, password);
    	        return tryToAuthenticate(requestAuthentication);
    	    }
    	    
    	    private void processTokenAuthentication(String token) {
    	        Authentication resultOfAuthentication = tryToAuthenticateWithToken(token);
    	        SecurityContextHolder.getContext().setAuthentication(resultOfAuthentication);
    	    }
    	    
    	    private Authentication tryToAuthenticateWithToken(String token) {
    	        PreAuthenticatedAuthenticationToken requestAuthentication = new PreAuthenticatedAuthenticationToken(token, null);
    	        return tryToAuthenticate(requestAuthentication);
    	    }
    
    	    private Authentication tryToAuthenticate(Authentication requestAuthentication) {
    	        Authentication responseAuthentication = authenticationManager.authenticate(requestAuthentication);
    	        if (responseAuthentication == null || !responseAuthentication.isAuthenticated()) {
    	            throw new InternalAuthenticationServiceException(&quot;Unable to authenticate Domain User for provided credentials&quot;);
    	        }
    	        logger.debug(&quot;User successfully authenticated&quot;);
    	        return responseAuthentication;
    	    }

My controller is 

    @RestController
    public class UserController {
    	
    	@Autowired
    	UserService userService;
    
    	/**
    	 * to pass user info to service
    	 */
    	@RequestMapping(value = &quot;api/v1/signup&quot;,method = RequestMethod.POST)
    	public String saveUser(@RequestBody User user) {
    		userService.saveUser(user);
    		return &quot;User registerted successfully&quot;;
    	}
    }

I am totally new to spring,please help me how to do it ?

How to disable spring security for particular url

I added one custom Security Config in my application on Spring Boot, but the message about &quot;Using default security password&quot; is still there in LOG file.

Is there any to remove it? I do not need this default password. It seems Spring Boot is not recognizing my security policy.

    @Configuration
    @EnableWebSecurity
    public class CustomSecurityConfig extends WebSecurityConfigurerAdapter {
    
        private final String uri = &quot;/custom/*&quot;;
    
        @Override
        public void configure(final HttpSecurity http) throws Exception {
            http.csrf().disable();
            http.headers().httpStrictTransportSecurity().disable();
            http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
    
            // Authorize sub-folders permissions
            http.antMatcher(uri).authorizeRequests().anyRequest().permitAll();
        }
    }



Remove &quot;Using default security password&quot; on Spring Boot

I&#39;m facing a problem when using Spring Security &amp;&amp; Thymeleaf, specifically when trying to use the [hasRole](http://docs.spring.io/spring-security/site/docs/4.0.1.RELEASE/reference/htmlsingle/#el-common-built-in) expression. The &#39;admin&#39; user has a role &#39;ADMIN&#39; but `hasRole(&#39;ADMIN&#39;)` resolves to false anyway I try it

My html:

    1.&lt;div sec:authentication=&quot;name&quot;&gt;&lt;/div&gt; &lt;!-- works fine --&gt;
    2.&lt;div sec:authentication=&quot;principal.authorities&quot;&gt;&lt;/div&gt; &lt;!-- works fine --&gt;

    3.&lt;div  sec:authorize=&quot;isAuthenticated()&quot; &gt;true&lt;/div&gt; &lt;!-- works fine --&gt;
    4.&lt;span th:text=&quot;${#authorization.expression(&#39;isAuthenticated()&#39;)}&quot;&gt;&lt;/span&gt; &lt;!-- works fine --&gt;

    5.&lt;div th:text=&quot;${#vars.role_admin}&quot;&gt;&lt;/div&gt; &lt;!--Works fine --&gt;
    6.&lt;div  sec:authorize=&quot;${hasRole(&#39;ADMIN&#39;)}&quot; &gt; IS ADMIN &lt;/div&gt; &lt;!-- Doesnt work --&gt;
    7.&lt;div  sec:authorize=&quot;${hasRole(#vars.role_admin)}&quot; &gt; IS ADMIN &lt;/div&gt; &lt;!-- Doesnt work --&gt;
    8.&lt;div th:text=&quot;${#authorization.expression(&#39;hasRole(&#39;&#39;ADMIN&#39;&#39;)&#39;)} &quot;&gt;&lt;/div&gt; &lt;!-- Doesnt work --&gt;
    9.&lt;div th:text=&quot;${#authorization.expression(&#39;hasRole(#vars.role_admin)&#39;)}&quot;&gt;&lt;/div&gt; &lt;!-- Doesnt work --&gt;

results in:

    1.admin
    2.[ADMIN]
    3.true
    4.true
    5.ADMIN
    6.&quot;prints nothing because hasRole(&#39;ADMIN&#39;) resolves to false&quot;
    7.&quot;prints nothing because hasRole(#vars.role_admin) resolves to false&quot;
    8.false
    9.false

I have enabled _use-expressions_ in my security.xml file

    &lt;security:http auto-config=&quot;true&quot; use-expressions=&quot;true&quot;&gt;

And also included the SpringSecurityDialect in my config

    &lt;bean id=&quot;templateEngine&quot;
          class=&quot;org.thymeleaf.spring4.SpringTemplateEngine&quot;&gt;
        &lt;property name=&quot;templateResolver&quot; ref=&quot;templateResolver&quot; /&gt;  
        &lt;property name=&quot;additionalDialects&quot;&gt;
            &lt;set&gt;
                &lt;bean class=&quot;org.thymeleaf.extras.springsecurity4.dialect.SpringSecurityDialect&quot; /&gt;
            &lt;/set&gt;
        &lt;/property&gt;      
    &lt;/bean&gt;

All the necessary dependencies in my pom.xml file

    

    &lt;!--Spring security--&gt; 
        &lt;dependency&gt;
            &lt;groupId&gt;org.springframework.security&lt;/groupId&gt;
            &lt;artifactId&gt;spring-security-core&lt;/artifactId&gt;
            &lt;version&gt;4.0.1.RELEASE&lt;/version&gt;
        &lt;/dependency&gt;
        &lt;dependency&gt;
            &lt;groupId&gt;org.springframework.security&lt;/groupId&gt;
            &lt;artifactId&gt;spring-security-web&lt;/artifactId&gt;
            &lt;version&gt;4.0.1.RELEASE&lt;/version&gt;
        &lt;/dependency&gt;
        &lt;dependency&gt;
            &lt;groupId&gt;org.springframework.security&lt;/groupId&gt;
            &lt;artifactId&gt;spring-security-config&lt;/artifactId&gt;
            &lt;version&gt;4.0.1.RELEASE&lt;/version&gt;
        &lt;/dependency&gt;        
        
        &lt;!--Thymeleaf Spring Security--&gt;
        &lt;dependency&gt;
            &lt;groupId&gt;org.thymeleaf.extras&lt;/groupId&gt;
            &lt;artifactId&gt;thymeleaf-extras-springsecurity4&lt;/artifactId&gt;
            &lt;version&gt;2.1.2.RELEASE&lt;/version&gt;
            &lt;scope&gt;compile&lt;/scope&gt;
        &lt;/dependency&gt;

Role.java

    @Entity
    @Table(name = &quot;roles&quot;)
    
        public class Role implements Serializable {
        
            @Id
            @Enumerated(EnumType.STRING)
            private RoleType name;
            //... getters, setters
        }

RoleType

    public enum RoleType {
    
        ADMIN 
    }

And `User`has a Set of `Role`s 

Why is `hasRole()` not working? 

I appreciate your help, thank you


**Workaround**
--------------

  `th:if=&quot;${#strings.contains(#authentication.principal.authorities,&#39;ADMIN&#39;)}&quot;`

Spring Security hasRole() not working

I work on content management system, that has five *antMatchers* like the following:

    http.authorizeRequests()
			.antMatchers(&quot;/&quot;, &quot;/*.html&quot;).permitAll()
			.antMatchers(&quot;/user/**&quot;).hasRole(&quot;USER&quot;)
			.antMatchers(&quot;/admin/**&quot;).hasRole(&quot;ADMIN&quot;)
			.antMatchers(&quot;/admin/login&quot;).permitAll()
			.antMatchers(&quot;/user/login&quot;).permitAll()
			.anyRequest().authenticated()
			.and()
        	.csrf().disable();

which suppose to mean that the visitors can see all site at root path (/*), and users can see only (/user), admin can see only (/admin), and there are two login pages one for users and another for admin.

The code seems to work fine, except the admin section - it doesn&#39;t work but  return access denied exception.


Multiple antMatchers in Spring security

I&#39;m having a small problem with formatting a Java 8 LocalDateTime in my Spring Boot Application. With &#39;normal&#39; dates I have no problem, but the LocalDateTime fields are converted to the following:

    &quot;startDate&quot; : {
        &quot;year&quot; : 2010,
        &quot;month&quot; : &quot;JANUARY&quot;,
        &quot;dayOfMonth&quot; : 1,
        &quot;dayOfWeek&quot; : &quot;FRIDAY&quot;,
        &quot;dayOfYear&quot; : 1,
        &quot;monthValue&quot; : 1,
        &quot;hour&quot; : 2,
        &quot;minute&quot; : 2,
        &quot;second&quot; : 0,
        &quot;nano&quot; : 0,
        &quot;chronology&quot; : {
          &quot;id&quot; : &quot;ISO&quot;,
          &quot;calendarType&quot; : &quot;iso8601&quot;
        }
      }

While I would like convert it to something like:

    &quot;startDate&quot;: &quot;2015-01-01&quot;

My code looks like this:

    @JsonFormat(pattern=&quot;yyyy-MM-dd&quot;)
    @DateTimeFormat(iso = DateTimeFormat.ISO.TIME)
    public LocalDateTime getStartDate() {
        return startDate;
    }

But either of the above annotations don&#39;t work, the date keeps getting formatted like above. Suggestions welcome!


JSON Java 8 LocalDateTime format in Spring Boot

I want to log SQL statements in a file.  
I have the following properties in `application.properties`

    spring.datasource.url=...
    spring.datasource.username=user
    spring.datasource.password=1234
    spring.datasource.driver-class-name=net.sourceforge.jtds.jdbc.Driver
    
    spring.jpa.show-sql=true
    spring.jpa.properties.hibernate.format_sql=true
    
    security.ignored=true
    security.basic.enabled=false
    
    logging.level.org.springframework.web=INFO
    logging.level.org.hibernate=INFO
    logging.file=c:/temp/my-log/app.log

When I run my application 

    cmd&gt;mvn spring-boot:run

I can see sql statements in the console but they don&#39;t appear in a file app.log. The file contains only basic logs from spring.

What should I do to see sql statements in the log file?


Content Type	Original Author	Original Content on Stackoverflow
Question	Christopher	View Question on Stackoverflow
Solution 1 - Spring	Joao Evangelista	View Answer on Stackoverflow

@EnableGlobalMethodSecurity vs @EnableWebSecurity

Spring Problem Overview

Spring Solutions

Solution 1 - Spring

_pickle in python3 doesn't work for large data saving

Making an angular filter conditional

Attributions