@PreAuthorize and RoleHierarchyVoter

Question

I am using role hierarchy in Spring Security as in my question. When I try to secure a method with @PreAuthorize("hasRole('ROLE_USER')"), I always got AccessDeniedException. However, if I change it to @Secured("ROLE_USER") or

<protect-pointcut
      expression="execution(* my.package.Class.*(..))"
      access="ROLE_GUEST" />

I have no issue. From this answer, both should behave the same except the listed differences. Am I missing something here?

Edit: Here is my configuration.

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
  xmlns:beans="http://www.springframework.org/schema/beans"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xmlns:context="http://www.springframework.org/schema/context"
  xsi:schemaLocation="
        http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
        http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.0.xsd
        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd">

  <http entry-point-ref="entryPoint">
    <anonymous enabled="false" />
  </http>

  <beans:bean id="entryPoint"
    class="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint" />

  <global-method-security secured-annotations="enabled"
    pre-post-annotations="enabled" access-decision-manager-ref="accessDecisionManager">
    <!-- this is disable if I secure with annotation @Secured -->
    <protect-pointcut
      expression="execution(* my.package.Class.*(..))"
      access="ROLE_GUEST" />
  </global-method-security>

  <beans:bean id="accessDecisionManager"
    class="org.springframework.security.access.vote.AffirmativeBased">
    <beans:property name="decisionVoters">
      <beans:list>
        <beans:ref bean="roleHierarchyVoter" />
      </beans:list>
    </beans:property>
  </beans:bean>

  <beans:bean id="roleHierarchyVoter"
    class="org.springframework.security.access.vote.RoleHierarchyVoter">
    <beans:constructor-arg ref="roleHierarchy" />
  </beans:bean>

  <beans:bean id="roleHierarchy"
    class="org.springframework.security.access.hierarchicalroles.RoleHierarchyImpl">
    <beans:property name="hierarchy">
      <beans:value>
        ROLE_USER > ROLE_GUEST
      </beans:value>
    </beans:property>
  </beans:bean>

  <beans:bean id="userDetailsService"
    class="org.springframework.security.core.userdetails.jdbc.JdbcDaoImpl">
    <beans:property name="dataSource" ref="dataSource" />
    <beans:property name="enableGroups" value="true" />
    <beans:property name="enableAuthorities" value="false" />
  </beans:bean>

  <authentication-manager>
    <authentication-provider user-service-ref="userDetailsService">
    </authentication-provider>
  </authentication-manager>

</beans:beans>

Answer 1

I'm not so sure how your configuration looks like as you are referring to another post. The solution might be simple. Leave out access-decision-manager-ref as:

<sec:global-method-security
    secured-annotations="enabled" pre-post-annotations="enabled" />

In practice, if Pre* / Post* annotations are being used for method security, a voter-based system is not really necessary. Actually there is no voter for that at all, so all other voters abstain and the access is denied.