Why does Spring Security's RoleVoter need a prefix?

Question

In our application we planned to use the RoleVoter mechanism but we'd like to remove the ROLE_ prefix as the security we are implementing is more task based than role based.

Technically, there is no problem for the implementation but I found in the documentation that using the RoleVoter with an empty prefix should be discouraged.

I'm wondering why?

AFAICS, the only problem is that, without the prefix, the RoleVoter will participate in decisions that it is not meant to (such as the IS_AUTHENTICATED_FULLY, IS_AUTHENTICATED_REMEMBERED, ...) and might returns an access denied instead of an abstain.

Could you please confirm that this is the only issue with an empty prefix?

Thanks in advance M.

Answer 1

Yes. If you are using multiple voters or a custom voter then they need some way knowing which attributes they should consume. For example, if you have a DayOfTheWeekVoter and you have a resource defined with attributes ROLE_USER,DAY_MONDAY then the RoleVoter might vote to grant access because the user has the role "User", but the DayOfTheWeekVoter might deny access because it is not a Monday.

If you don't configure RoleVoter with a prefix then it would check if the user has the authority named "DAY_MONDAY" assigned to them, and so this scenario won't work.

If you are only interested in roles, then you can do without a prefix, or you can use expressions (such as hasRole('user')) which don't use a RoleVoter.