1

I am checking a role "XXXXX" in my controller . But it is working only when I add a prefix "ROLE_".

@Secured("XXXXX") is not working but when I add the ROLE_ prefix, it is working fine (@Secured("ROLE_XXXXX")is working fine). How can I override this feature in my Spring Boot version 2 project?

NatFar
  • 2,090
  • 1
  • 12
  • 29
Dil
  • 31
  • 2
  • How do you assign roles? That might be the issue – NatFar Feb 26 '20 at 15:05
  • That is how it is expected isn't it ? [`@Secured`](https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/access/annotation/Secured.html) – R.G Feb 26 '20 at 15:26
  • Please read through [What does "ROLE_" mean and why do I need it on my role names?](https://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#appendix-faq-role-prefix) and an SO [answer](https://stackoverflow.com/a/56167971/4214241) on how to do it. Hope this is what you are looking for . – R.G Feb 26 '20 at 15:54

1 Answers1

3

Option 1. You can use @RolesAllowed("role_name") instead of @Secured

You would need to enable JSR-250 annotations support by annotating @Configuration class with @EnableGlobalMethodSecurity(jsr250Enabled=true)

Options 2. You can use @PreAuthorize("hasRole('ROLE_NAME_WITHOUT_ROLE_PREFIX')") instead of @Secured

You would need to enable PreAuthorize annotations support by annotating @Configuration class with @EnableGlobalMethodSecurity(prePostEnabled=true)

fg78nc
  • 4,774
  • 3
  • 19
  • 32