Spring Security intercept URL not working with custom UserDetails object

Question

I'm really new to spring security so please please be patient. I am open to suggestions to make this question more specific if someone could guide me.

My problem is that I have an intercept-url configuration in Spring security but it is always redirecting to the access denied page even when the user has the requisite role. This is my Spring security config:

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
    xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans
    http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
    http://www.springframework.org/schema/security
    http://www.springframework.org/schema/security/spring-security-4.1.xsd">

    <!-- enable use-expressions -->
    <http auto-config="true" use-expressions="true">

        <intercept-url pattern="/admin/**" access="hasRole('ROLE_ADMIN')" />

        <!-- access denied page -->
        <access-denied-handler error-page="/403" />

        <session-management invalid-session-url="/login"
            session-fixation-protection="newSession">
            <concurrency-control max-sessions="1"
                error-if-maximum-exceeded="true" />
        </session-management>

        <form-login login-page="/login" authentication-failure-url="/login?error"
            username-parameter="emailId" password-parameter="pwd" />
        <logout logout-success-url="/login?logout" delete-cookies="JSESSIONID" />
        <csrf token-repository-ref="tokenRepository" />
    </http>

    <authentication-manager>
        <authentication-provider ref="customAuthenticationProvider" />
    </authentication-manager>

</beans:beans>

Through my research I felt that there was nothing wrong in the above configuration but it could be a problem because of the custom UserDetails object that I am using. This is the POJO:

public class CustomUser implements UserDetails {

    private static final long serialVersionUID = 1L;
    private String userID;
    private String emailId;
    private String password;
    private boolean enabled = true;
    private boolean accountNonExpired = true;
    private boolean credentialsNonExpired = true;
    private boolean accountNonLocked = true;
    private List<Role> authorities;

    @Override
    public List<Role> getAuthorities() {
        return authorities;
    }
    //other setters and getters
}

Role class:

public class Role implements GrantedAuthority {

    private static final long serialVersionUID = 1L;
    private String name;

    public String getName() {
        return name;
    }

    public void setName(String name) {
        this.name = name;
    }

    public String getAuthority() {
        return this.name;
    }
}

I also have a custom UserDAO class that populates the CustomUser POJO and I have verified that there is no issue in setting of values.

This is my Principle(as written in the logs):

Principal: CustomUser [userID=user1, emailId=test@test.com, password=pwd, enabled=true, accountNonExpired=true, credentialsNonExpired=true, authorities=[Role [name=ADMIN]]];

What could be the reason that the pages are always denied?

Thanks for taking the time to read this whole post :)

Answer 1

Changed

<intercept-url pattern="/admin/**" access="hasRole('ROLE_ADMIN')" />

to

<intercept-url pattern="/admin/**" access="hasRole('ADMIN')" />

Edit

If previous solution didn't work then try this way.

See in your role it returns "ADMIN" and you expect "ROLE_ADMIN"

change role name into table

"ADMIN" to "ROLE_ADMIN"