All http protection is applied at startup:
protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests() .antMatchers("/admin/**").hasRole("admin") }
At runtime, I try to add even more to it ...
applicationContext.getBean(WebSecurityConfigurerAdapter).http.authorizeRequests().antMatchers("bla").hasRole("admin")
When this line is executed, it adds it to http.authorizeRequests (), but / bla is still accessible using "non admins"
When the server restarts, this change takes effect as it loads bla from the database.
How to make protection immediately effective without rebooting the server?
source share