After solving all authentication related problems in my first Spring web application I'm now stuck with authorization.

Configuration using @Secured annotations is pretty straight-forward so I don't think I made a mistake here. Additionally I'm using an Active Directory using the LDAP authentication provider and assign roles by AD groups, so isn't a problem either.

So here's a brief summary of my problem:

  • Unsecured actions work
  • Actions using @Secured("IS_AUTHENTICATED_FULLY") work
  • Actions using something like @Secured("GROUP_*") don't work

When calling a secured action a is thrown. Here's an excerpt from the logs:

DEBUG: - Secure object: ReflectiveMethodInvocation: public org.springframework.web.servlet.ModelAndView de.dillinger.resources.controllers.HostsController.index(); target is of class [de.dillinger.resources.controllers.HostsController]; ConfigAttributes: [GROUP_IT]
DEBUG: - Previously Authenticated: Principal: Username: di32001; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: GROUP_ITS, GROUP_ITS-IT, GROUP_INTERNET, GROUP_SYSTEMGRUPPE, GROUP_IT; Password: [PROTECTED]; Authenticated: true; Details: RemoteIpAddress:; SessionId: 773943FFB14E512872BB6CE25F46C00A; Granted Authorities: GROUP_ITS, GROUP_ITS-IT, GROUP_INTERNET, GROUP_SYSTEMGRUPPE, GROUP_IT

As you can see the action requires the GROUP_IT role and my user object has this privilege. I really don't know what's causing this problem.

Was it helpful?


Are you using role voter? Try changing it to
This kind of problems are related to role voter configuration.

Edit 1(example added):

    <property name="allowIfAllAbstainDecisions" value="false" />
    <property name="decisionVoters">
            <bean id="roleVoter" class="" />
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow