6

I was investigating on how to create custom role prefix until I realized that it doesn't matter. As long as my role from my db matches something like:

<security:intercept-url pattern="/person/myProfile/**" access= "hasRole('BlaBla')" />

And it is not example, in db I literally set up role BlaBla to test and it works.

I don't like when I get different behavior - many people had problem of setting up custom prefix to create custom role. What happens in here and should I expect hidden rocks?

I have 3.0.7 release. And in my query for authorities I don't have 'default' values. Is it caused by version?

Pang
  • 9,564
  • 146
  • 81
  • 122
Aubergine
  • 5,862
  • 19
  • 66
  • 110

1 Answers1

2

Probably you're using:

<http use-expressions="true">

that configures a WebExpressionVoter which will vote true for the users who have the granted authority "BlaBla" (in your case)

Remember that the Authorization for a secured object (an URL for instance) is performed by an AccessDecisionManager.

There are three concrete AccessDecisionManagers: affirmative, consensus and unanimous.

For taking the decisions, they use a list of AccessDecissionVoters.

RoleVoter, the one that you expected, that has the rolePrefix configurable (ROLE_ by default), AuthenticatdVoter and the new WebExpressionVoter.

Don't forget that the combination of the AccessDecissionManager and its Voters could allow or deny the permission in a way that you'd think ilogical.

And I recommend you to debug the requests to see if the URL and the pattern matches as you expected.

Pang
  • 9,564
  • 146
  • 81
  • 122
jbbarquero
  • 2,842
  • 2
  • 19
  • 17
  • I am using pretty much default configuration. So I guess I don't have combination of AccessDecissionManager and multiple Voters. And my requests are perfectly valid.(other roles and anonymous can't access the resource) So I guess this WebExpressionVoter is the culprit. Weird anyway. When the roleVoter is chosen then? How does it know which one to choose? Say method level security will still work with WebExpressionVoter? – Aubergine Nov 29 '11 at 20:20
  • @Aubergine `Voter`s are not "chosen": every `Voter` is always asked to vote and then the `AccessDecisionManager` combines all votes to make the final decision. The default `AccessDecisionManager` is `AffirmativeBased`, that allows access as long as no `Voter` denies access and at least one `Voter` allows access. Note that `Voter`s can (and often do) abstain, which the `AccessDecisionManager` usually interprets as "I don't mind about this access attempt". In your case the `WebExpressionVoter` allows access and the other `Voter`s abstain, so in the end the access is granted. – gpeche Nov 29 '11 at 22:05
  • Apologies for the misunderstanding. I meant I don't know your configuration (the contents of your applicationContext-security.xml) but if you use use-expressions with security namespace, WebExpressionVoter is configured. – jbbarquero Nov 30 '11 at 09:50
  • 1
    @jbbarquero I am using `use-expressions=true` and Spring Security 4.0.1 and any role without the "ROLE_" prefix does not work, is there something I am missing out? – Sajib Acharya May 10 '16 at 11:25
  • check [this](http://stackoverflow.com/questions/31996567/how-to-deal-with-defaultroleprefix-role-in-spring-security-update-from-3-2-7/31996771) question. I think you should use `hasAuthority` instead. – Cataclysm Oct 31 '16 at 04:34