0

WebExpressionVoter is a Spring Security decision voter that "handles web authorization decisions".

This answer about the difference between WebExpressionVoter and AuthenticatedVoter explains further that enabling it allows the use of SpEL expressions like in XML config:

<http use-expressions="true">
    <intercept-url pattern="/admin*" access="hasRole('admin')"/>
    ...
</http>

However I find if I use WebSecurityConfigurerAdapter, the SpEL expression that comes through isn't what I'd expect.

// ...
.anyRequest().authenticated()
    .antMatcher("/*").denyAll()
// ...

If I put a breakpoint in WebExpressionVoter here and look at the expression that is evaluated, it's "authenticated" -- which it passes so long as the user is authenticated. But "denyAll" is also an expression -- why is this not included in the expression that WebExpressionVoter votes on. What logic does Spring use to decide which expression is used? And how could you make Spring Security evaluate all expressions.

Lauren
  • 1,480
  • 1
  • 13
  • 36
  • Internally they are, nonetheless they are 2 separate expressions for 2 separate patterns, just like in XML. – M. Deinum Sep 09 '20 at 13:45
  • 2
    Combining `authenticated` and `denyAll` doesn't make sense. But if you need more complex expressions just use `access` and write the expression you want. – M. Deinum Sep 09 '20 at 15:05
  • OK that's really helpful. Just to be sure: I was reading the line as "any request has to be authenticated, but the requests matched by this matcher are also denyAll (or whatever expression)". But you are saying it's actually two separate rules -- the first will apply, so the second will never need to? – Lauren Sep 09 '20 at 15:10
  • 2
    Yes, `anyRequest()` is basically an `antMatcher("/**")` and basically should always be the last in your list of rules. The order in which you define rules is also the order in which they are consulted by Spring Security, so if the catch-all is first everything else is rendered useless. – M. Deinum Sep 09 '20 at 16:01
  • Thanks @M.Deinum -- if you feel like summarizing that in an answer I'd be happy to accept it – Lauren Sep 09 '20 at 16:55

0 Answers0