There are pages that only a few users should be allowed to access. For example, admin pages should be accessible only to admin users. This is done by matching the URLs of these pages to user roles, which were defined when the users were created; refer to the Authenticating users using the default login page and Authenticating users using a database recipes.
In the configure()
method, use the hasRole()
method:
http.authorizeRequests() .antMatchers("/admin/**").hasRole("ADMIN") .anyRequest().authenticated();