spring boot - Secure specific endpoint by role

Question

I'm trying to build REST API with Spring Boot, secured by Spring Security. Here I need to provide /users endpoint which will be available only to users with ADMIN role.

@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {

        SecurityContext context = SecurityContextHolder.createEmptyContext();
        Authentication authentication =
                new TestingAuthenticationToken("username", "password", "ROLE_ADMIN");
        context.setAuthentication(authentication);

        SecurityContextHolder.setContext(context);

        http.authorizeRequests()

                .antMatchers("/users").hasRole("ADMIN")
                .antMatchers("/products").permitAll()
                ;
    }

}

I'm using TestingAuthenticationToken with ROLE_ADMIN, so I expect that /users endpoint will be available in this configuration.

Request:

GET /users HTTP/1.1
Host: localhost:5000
Accept: application/json
Content-Type: application/json
Cache-Control: no-cache

Response:

    "timestamp": "2020-09-01T17:28:27.628+00:00",
    "status": 403,
    "error": "Forbidden",
    "message": "Access Denied",
    "path": "/users"
}

Answer 1

The SecurityContext with its Authentication is retrieved during each request in the SecurityContextPersistenceFilter. Your SecurityContext in the SecurityConfig is hence simply overwritten (with auth == null). No authentication means no role hence 403 - forbidden.

For more see here.