13

My Spring Boot application works on Spring Security 3.2.7.RELEASE. Now, I'd like to update it to 4.0.2.RELEASE.

After hours of debug I have found that Spring Security 4.0.2.RELEASE uses defaultRolePrefix="ROLE_"

in

org.springframework.security.access.expression.SecurityExpressionRoot.hasAnyAuthorityName(String prefix, String... roles) method

In my application I use roles without this prefix and accordingly I get AccessDeniedException.

How to configure Spring Boot in order to use SecurityExpressionRoot.defaultRolePrefix="" ?

MWiesner
  • 8,868
  • 11
  • 36
  • 70
alexanoid
  • 24,051
  • 54
  • 210
  • 410
  • 2
    I'm sorry to see you had difficulty migrating. Did you see that this is covered in the migration guide? http://docs.spring.io/spring-security/site/docs/4.0.x/reference/htmlsingle/#m3to4 Specifically if you follow the link I sent you should get to http://docs.spring.io/spring-security/site/migrate/current/3-to-4/html5/migrate-3-to-4-jc.html#m3to4-role-prefixing – Rob Winch Aug 13 '15 at 19:25
  • 1
    Thanks Rob, I have found a reason of that after 2 hours of debug spring security project. I have changed hasRole to hasAuthority and now everything works like a charm. – alexanoid Aug 13 '15 at 19:28
  • 1
    Glad to see you found the issue. I was hoping that if you (or others) encounter any more issues with the migration that the guide I provided will help. – Rob Winch Aug 13 '15 at 19:29

2 Answers2

16

I found the solution how to fix it. I need to change hasRole to hasAuthority, for example:

@PreAuthorize("hasAuthority('PERMISSION_CREATE_NODE')")
alexanoid
  • 24,051
  • 54
  • 210
  • 410
0

In the other hand you can remove role prefix ass described here. In this cas you are free to use other annotations.

Mostafa Barmshory
  • 1,849
  • 24
  • 39