0

I'm using jhipster 4, I have a doubt, I try to put a new role without a pattern ROLE_* and it does not work when i use the java annotation @Secured. 

public final class AuthoritiesConstants {   
  public static final String SUPERVISED = "SUPERVISED";
  ...

I check it over many websites about this issue and i can't find any suggest. And i need to put a role called SUPERVISED because my app needs to integrate with other. 

@Secured({AuthoritiesConstants.SUPERVISED)
public class GreatResource {
...

When the webclient do a request with a role SUPERVISED, the action it is denied

Why this happend?

Orlando Yero
  • 75
  • 1
  • 7
  • What have you tried? This should be only spring security configuration not specific to JHipster. https://stackoverflow.com/questions/38134121/how-do-i-remove-the-role-prefix-from-spring-security-with-javaconfig/44828767#44828767 – Gaël Marziou Apr 08 '18 at 00:05
  • Yes, you are rigth but the enviroment is this **jhipster**. I talked about jhipster because maybe it inject some extra configuration – Orlando Yero Apr 08 '18 at 00:41

1 Answers1

1

When using the @Secured annotation, by default if the supplied role does not start with ROLE_ then it will be added. The filter is checking for ROLE_SUPERVISED instead of SUPERVISED, which is why it is not working as expected.

With Expression-Based Access Control, you can check a user's authorities including those without a ROLE_ prefix. Use the @PreAuthorize annotation combined with the hasAuthority expression:

@PreAuthorize("hasAuthority('SUPERVISED')")
Jon Ruddell
  • 6,244
  • 1
  • 22
  • 40