Spring Security ROLE_ prefix no longer needed?

About

Asked 29/11, 2011 at 17:2 Answered 29/11, 2011 at 20:8

I was investigating on how to create custom role prefix until I realized that it doesn't matter. As long as my role from my db matches something like:

<security:intercept-url pattern="/person/myProfile/**" access= "hasRole('BlaBla')" />

And it is not example, in db I literally set up role BlaBla to test and it works.

I don't like when I get different behavior - many people had problem of setting up custom prefix to create custom role. What happens in here and should I expect hidden rocks?

I have 3.0.7 release. And in my query for authorities I don't have 'default' values. Is it caused by version?

Melanie answered 29/11, 2011 at 17:2 Comment(0)

Probably you're using:

<http use-expressions="true">

that configures a WebExpressionVoter which will vote true for the users who have the granted authority "BlaBla" (in your case)

Remember that the Authorization for a secured object (an URL for instance) is performed by an AccessDecisionManager.

There are three concrete AccessDecisionManagers: affirmative, consensus and unanimous.

For taking the decisions, they use a list of AccessDecissionVoters.

RoleVoter, the one that you expected, that has the rolePrefix configurable (ROLE_ by default), AuthenticatdVoter and the new WebExpressionVoter.

Don't forget that the combination of the AccessDecissionManager and its Voters could allow or deny the permission in a way that you'd think ilogical.

And I recommend you to debug the requests to see if the URL and the pattern matches as you expected.

Croy answered 29/11, 2011 at 20:8 Comment(5)

I am using pretty much default configuration. So I guess I don't have combination of AccessDecissionManager and multiple Voters. And my requests are perfectly valid.(other roles and anonymous can't access the resource) So I guess this WebExpressionVoter is the culprit. Weird anyway. When the roleVoter is chosen then? How does it know which one to choose? Say method level security will still work with WebExpressionVoter? – Melanie 29/11, 2011 at 20:20

@Melanie Voters are not "chosen": every Voter is always asked to vote and then the AccessDecisionManager combines all votes to make the final decision. The default AccessDecisionManager is AffirmativeBased, that allows access as long as no Voter denies access and at least one Voter allows access. Note that Voters can (and often do) abstain, which the AccessDecisionManager usually interprets as "I don't mind about this access attempt". In your case the WebExpressionVoter allows access and the other Voters abstain, so in the end the access is granted. – Highjack 29/11, 2011 at 22:5

Apologies for the misunderstanding. I meant I don't know your configuration (the contents of your applicationContext-security.xml) but if you use use-expressions with security namespace, WebExpressionVoter is configured. – Croy 30/11, 2011 at 9:50

@Croy I am using use-expressions=true and Spring Security 4.0.1 and any role without the "ROLE_" prefix does not work, is there something I am missing out? – Britanybritches 10/5, 2016 at 11:25

check this question. I think you should use hasAuthority instead. – Lange 31/10, 2016 at 4:34

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags