1

I have setup Spring Security in my Spring MVC based web application. However due to some external system restriction, I want the user roles to be in lowercase.

But when testing locally using In Memory Users, the application allows access only when authenticated user has roles in UPPER_CASE, and gives 403 as soon as I change the roles to lowercase.

Is there an such restriction to have roles only in upper-case. I can't find any mention of it in docs ?

I also found out about attribute lowercase-comparisons for filter-invocation-definition-source.. is this for comparison of URL or roles ?

Below is FilterSecurityInterceptor definition:

<bean id="fsi" class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor">
    <property name="authenticationManager" ref="authenticationManager" />
    <property name="accessDecisionManager" ref="accessDecisionManager" />
    <property name="objectDefinitionSource">
        <sec:filter-invocation-definition-source lowercase-comparisons="true">
            <sec:intercept-url pattern="/logout.jsp"            access="ROLE_ANONYMOUS" />
            <sec:intercept-url pattern="/welcome.htm"           access="ROLE_executer,ROLE_viewer,ROLE_admin_user" />

            <!-- Write Access -->
            <sec:intercept-url pattern="/addNewRecord.htm"      access="ROLE_executer,ROLE_admin_user" />
            <sec:intercept-url pattern="/updateRecord.htm"      access="ROLE_executer,ROLE_admin_user" />
            <sec:intercept-url pattern="/deleteRecord.htm"      access="ROLE_executer,ROLE_admin_user" />
            <sec:intercept-url pattern="/uploadFile.htm"        access="ROLE_executer,ROLE_admin_user" />

            <!-- Read Access to All Other-->
            <sec:intercept-url pattern="/**"                    access="ROLE_executer,ROLE_viewer,ROLE_admin_user"/>                        
        </sec:filter-invocation-definition-source>
    </property>
</bean>

Thanks for any help.

Aditya Jain
  • 1,077
  • 1
  • 12
  • 25

1 Answers1

3

Roles don't have to be upper case. However, in a normal configuration, the RoleVoter looks for the prefix ROLE_, which is case sensitive. See this FAQ.

You can either configure the role voter to have an empty prefix (or a lower case one, if that's what you want), or you can use expression-based access - see this answer.

Alternatively, you can configure your AuthenticationProvider with a GrantedAuthoritiesMapper which converts the roles from your external system to values which can be consumed by Spring Security's RoleVoter - see this answer.

Community
  • 1
  • 1
Shaun the Sheep
  • 22,353
  • 1
  • 72
  • 100
  • This is correct. Another thing worth pointing would be that these "Roles" are not roles in typical sense (roles/priviledge). These are merely GrantedAuthority represented as String. RoleVoter checks for existence of these granted authorities in the user's granted authorities. – Shailendra May 23 '14 at 17:02
  • They can be "typical roles" if you want them to. `GrantedAuthority` is just an internal interface and it's meaning depends on the voter. `RoleVoter` just compares the string representation with the access control attributes listed for the URL or secured method, which is a pretty typical interpretation of role-based access in an application. – Shaun the Sheep May 23 '14 at 17:21