Difficulty upgrading to Spring Security 3.2 using Java Config to remove the ROLE_ prefix

StackOverflow https://stackoverflow.com//questions/21028608

Question

I am having some difficulty in upgrading to Spring Security 3.2 using Java Config around customizing the RoleVoter to remove the ROLE_ prefix. Specifically, I have this from the original XML:

<!-- Decision Manager and Role Voter -->
<bean id="accessDecisionManager"
    class="org.springframework.security.access.vote.AffirmativeBased">
    <property name="allowIfAllAbstainDecisions">
        <value>false</value>
    </property>
    <property name="decisionVoters">
        <list>
            <ref local="roleVoter" />
        </list>
    </property>
</bean>

<bean id="roleVoter" class="org.springframework.security.access.vote.RoleVoter">
    <property name="rolePrefix">
        <value />
    </property>
</bean>

I have tried to do create the similar configuration in my @Configuration object as such

@Bean
public RoleVoter roleVoter() {
    RoleVoter roleVoter = new RoleVoter();
    roleVoter.setRolePrefix("");
    return roleVoter;
}

@Bean
public AffirmativeBased accessDecisionManager() {
    AffirmativeBased affirmativeBased = new AffirmativeBased(Arrays.asList((AccessDecisionVoter)roleVoter()));
    affirmativeBased.setAllowIfAllAbstainDecisions(false);
    return affirmativeBased;
}

...

@Override
protected void configure(HttpSecurity http) throws Exception
{
    http
      .authorizeRequests()
            .accessDecisionManager(accessDecisionManager())
            .antMatchers("/protected/**").hasRole("my-authenticated-user")
            .anyRequest().authenticated()
            .and()
      .formLogin()
            .permitAll()
            .and()
      .logout()
            .permitAll();
}

This is where I am now having difficulty, I end up with an exception in the log that look like this:

Caused by: java.lang.IllegalArgumentException: Unsupported configuration attributes: [permitAll, hasRole('ROLE_my-authenticated-user'), permitAll, authenticated, permitAll, permitAll, permitAll]
    at org.springframework.security.access.intercept.AbstractSecurityInterceptor.afterPropertiesSet(AbstractSecurityInterceptor.java:156) ~[spring-security-core-3.2.0.RELEASE.jar:3.2.0.RELEASE]
    at org.springframework.security.config.annotation.web.configurers.AbstractInterceptUrlConfigurer.createFilterSecurityInterceptor(AbstractInterceptUrlConfigurer.java:187) ~[spring-security-config-3.2.0.RELEASE.jar:3.2.0.RELEASE]
    at org.springframework.security.config.annotation.web.configurers.AbstractInterceptUrlConfigurer.configure(AbstractInterceptUrlConfigurer.java:76) ~[spring-security-config-3.2.0.RELEASE.jar:3.2.0.RELEASE]
    at org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer.configure(ExpressionUrlAuthorizationConfigurer.java:70) ~[spring-security-config-3.2.0.RELEASE.jar:3.2.0.RELEASE]
    at org.springframework.security.config.annotation.web.configurers.AbstractInterceptUrlConfigurer.configure(AbstractInterceptUrlConfigurer.java:64) ~[spring-security-config-3.2.0.RELEASE.jar:3.2.0.RELEASE]
    at org.springframework.security.config.annotation.AbstractConfiguredSecurityBuilder.configure(AbstractConfiguredSecurityBuilder.java:378) ~[spring-security-config-3.2.0.RELEASE.jar:3.2.0.RELEASE]
    at org.springframework.security.config.annotation.AbstractConfiguredSecurityBuilder.doBuild(AbstractConfiguredSecurityBuilder.java:327) ~[spring-security-config-3.2.0.RELEASE.jar:3.2.0.RELEASE]
    at org.springframework.security.config.annotation.AbstractSecurityBuilder.build(AbstractSecurityBuilder.java:39) ~[spring-security-config-3.2.0.RELEASE.jar:3.2.0.RELEASE]
    at org.springframework.security.config.annotation.web.builders.WebSecurity.performBuild(WebSecurity.java:293) ~[spring-security-config-3.2.0.RELEASE.jar:3.2.0.RELEASE]
    at org.springframework.security.config.annotation.web.builders.WebSecurity.performBuild(WebSecurity.java:74) ~[spring-security-config-3.2.0.RELEASE.jar:3.2.0.RELEASE]
    at org.springframework.security.config.annotation.AbstractConfiguredSecurityBuilder.doBuild(AbstractConfiguredSecurityBuilder.java:331) ~[spring-security-config-3.2.0.RELEASE.jar:3.2.0.RELEASE]
    at org.springframework.security.config.annotation.AbstractSecurityBuilder.build(AbstractSecurityBuilder.java:39) ~[spring-security-config-3.2.0.RELEASE.jar:3.2.0.RELEASE]
    at org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration.springSecurityFilterChain(WebSecurityConfiguration.java:92) ~[spring-security-config-3.2.0.RELEASE.jar:3.2.0.RELEASE]
    at org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration$$EnhancerByCGLIB$$a7068b50.CGLIB$springSecurityFilterChain$3(<generated>) ~[spring-core-3.2.4.RELEASE.jar:3.2.0.RELEASE]
    at org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration$$EnhancerByCGLIB$$a7068b50$$FastClassByCGLIB$$a17f24f9.invoke(<generated>) ~[spring-core-3.2.4.RELEASE.jar:3.2.0.RELEASE]
    at org.springframework.cglib.proxy.MethodProxy.invokeSuper(MethodProxy.java:228) ~[spring-core-3.2.4.RELEASE.jar:3.2.4.RELEASE]
    at org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:286) ~[spring-context-3.2.4.RELEASE.jar:3.2.4.RELEASE]
    at org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration$$EnhancerByCGLIB$$a7068b50.springSecurityFilterChain(<generated>) ~[spring-core-3.2.4.RELEASE.jar:3.2.0.RELEASE]
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:1.7.0_25]
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) ~[na:1.7.0_25]
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:1.7.0_25]
    at java.lang.reflect.Method.invoke(Method.java:606) ~[na:1.7.0_25]
    at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:160) ~[spring-beans-3.2.4.RELEASE.jar:3.2.4.RELEASE]
    ... 60 common frames omitted

At this point, I am not sure where the ROLE_ is coming from if the RoleVoter is properly configured.

Was it helpful?

Solution

For the _ROLE part you have to use hasAnyAuthority(..) instead of hasAnyRole(..)

From the JavaDoc

If you do not want to have "ROLE_" automatically inserted see hasAnyAuthority(String)

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top