Difficulté à mettre à niveau vers Spring Security 3.2 à l'aide de Java Config pour supprimer le préfixe ROLE_

Question

J'ai quelques difficultés à passer à Spring Security 3.2 à l'aide de Java Config pour personnaliser le RoleVoter pour supprimer le ROLE_ préfixe.Plus précisément, j'ai ceci du XML original :

<!-- Decision Manager and Role Voter -->
<bean id="accessDecisionManager"
    class="org.springframework.security.access.vote.AffirmativeBased">
    <property name="allowIfAllAbstainDecisions">
        <value>false</value>
    </property>
    <property name="decisionVoters">
        <list>
            <ref local="roleVoter" />
        </list>
    </property>
</bean>

<bean id="roleVoter" class="org.springframework.security.access.vote.RoleVoter">
    <property name="rolePrefix">
        <value />
    </property>
</bean>

J'ai essayé de créer la configuration similaire dans mon @Configuration objet en tant que tel

@Bean
public RoleVoter roleVoter() {
    RoleVoter roleVoter = new RoleVoter();
    roleVoter.setRolePrefix("");
    return roleVoter;
}

@Bean
public AffirmativeBased accessDecisionManager() {
    AffirmativeBased affirmativeBased = new AffirmativeBased(Arrays.asList((AccessDecisionVoter)roleVoter()));
    affirmativeBased.setAllowIfAllAbstainDecisions(false);
    return affirmativeBased;
}

...

@Override
protected void configure(HttpSecurity http) throws Exception
{
    http
      .authorizeRequests()
            .accessDecisionManager(accessDecisionManager())
            .antMatchers("/protected/**").hasRole("my-authenticated-user")
            .anyRequest().authenticated()
            .and()
      .formLogin()
            .permitAll()
            .and()
      .logout()
            .permitAll();
}

C'est là que j'ai maintenant des difficultés, je me retrouve avec une exception dans le log qui ressemble à ceci :

Caused by: java.lang.IllegalArgumentException: Unsupported configuration attributes: [permitAll, hasRole('ROLE_my-authenticated-user'), permitAll, authenticated, permitAll, permitAll, permitAll]
    at org.springframework.security.access.intercept.AbstractSecurityInterceptor.afterPropertiesSet(AbstractSecurityInterceptor.java:156) ~[spring-security-core-3.2.0.RELEASE.jar:3.2.0.RELEASE]
    at org.springframework.security.config.annotation.web.configurers.AbstractInterceptUrlConfigurer.createFilterSecurityInterceptor(AbstractInterceptUrlConfigurer.java:187) ~[spring-security-config-3.2.0.RELEASE.jar:3.2.0.RELEASE]
    at org.springframework.security.config.annotation.web.configurers.AbstractInterceptUrlConfigurer.configure(AbstractInterceptUrlConfigurer.java:76) ~[spring-security-config-3.2.0.RELEASE.jar:3.2.0.RELEASE]
    at org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer.configure(ExpressionUrlAuthorizationConfigurer.java:70) ~[spring-security-config-3.2.0.RELEASE.jar:3.2.0.RELEASE]
    at org.springframework.security.config.annotation.web.configurers.AbstractInterceptUrlConfigurer.configure(AbstractInterceptUrlConfigurer.java:64) ~[spring-security-config-3.2.0.RELEASE.jar:3.2.0.RELEASE]
    at org.springframework.security.config.annotation.AbstractConfiguredSecurityBuilder.configure(AbstractConfiguredSecurityBuilder.java:378) ~[spring-security-config-3.2.0.RELEASE.jar:3.2.0.RELEASE]
    at org.springframework.security.config.annotation.AbstractConfiguredSecurityBuilder.doBuild(AbstractConfiguredSecurityBuilder.java:327) ~[spring-security-config-3.2.0.RELEASE.jar:3.2.0.RELEASE]
    at org.springframework.security.config.annotation.AbstractSecurityBuilder.build(AbstractSecurityBuilder.java:39) ~[spring-security-config-3.2.0.RELEASE.jar:3.2.0.RELEASE]
    at org.springframework.security.config.annotation.web.builders.WebSecurity.performBuild(WebSecurity.java:293) ~[spring-security-config-3.2.0.RELEASE.jar:3.2.0.RELEASE]
    at org.springframework.security.config.annotation.web.builders.WebSecurity.performBuild(WebSecurity.java:74) ~[spring-security-config-3.2.0.RELEASE.jar:3.2.0.RELEASE]
    at org.springframework.security.config.annotation.AbstractConfiguredSecurityBuilder.doBuild(AbstractConfiguredSecurityBuilder.java:331) ~[spring-security-config-3.2.0.RELEASE.jar:3.2.0.RELEASE]
    at org.springframework.security.config.annotation.AbstractSecurityBuilder.build(AbstractSecurityBuilder.java:39) ~[spring-security-config-3.2.0.RELEASE.jar:3.2.0.RELEASE]
    at org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration.springSecurityFilterChain(WebSecurityConfiguration.java:92) ~[spring-security-config-3.2.0.RELEASE.jar:3.2.0.RELEASE]
    at org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration$$EnhancerByCGLIB$$a7068b50.CGLIB$springSecurityFilterChain$3(<generated>) ~[spring-core-3.2.4.RELEASE.jar:3.2.0.RELEASE]
    at org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration$$EnhancerByCGLIB$$a7068b50$$FastClassByCGLIB$$a17f24f9.invoke(<generated>) ~[spring-core-3.2.4.RELEASE.jar:3.2.0.RELEASE]
    at org.springframework.cglib.proxy.MethodProxy.invokeSuper(MethodProxy.java:228) ~[spring-core-3.2.4.RELEASE.jar:3.2.4.RELEASE]
    at org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:286) ~[spring-context-3.2.4.RELEASE.jar:3.2.4.RELEASE]
    at org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration$$EnhancerByCGLIB$$a7068b50.springSecurityFilterChain(<generated>) ~[spring-core-3.2.4.RELEASE.jar:3.2.0.RELEASE]
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:1.7.0_25]
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) ~[na:1.7.0_25]
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:1.7.0_25]
    at java.lang.reflect.Method.invoke(Method.java:606) ~[na:1.7.0_25]
    at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:160) ~[spring-beans-3.2.4.RELEASE.jar:3.2.4.RELEASE]
    ... 60 common frames omitted

À ce stade, je ne sais pas où se trouve le ROLE_ vient de si le RoleVoter est correctement configuré.

Answer 1

Pour la partie _ROLE, vous devez utiliser hasAnyAuthority(..) au lieu de hasAnyRole(..)

Extrait du JavaDoc

Si vous ne voulez pas avoir "Role_" inséré automatiquement, voir HasanyAuthority (String)