Skip to content

GrantedAuthorityDefaults does not apply on ExpressionInterceptUrlRegistry#hasRole #4134

Closed
@kazuki43zoo

Description

@kazuki43zoo
Contributor

Summary

Since 4.2, we can control the default role prefix(default is ROLE_) at the single point of definition (gh-3701).
However, it not apply to access control definitions using the ExpressionInterceptUrlRegistry#hasRole().

@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Bean
    GrantedAuthorityDefaults grantedAuthorityDefaults() {
        return new GrantedAuthorityDefaults(""); // Remove the ROLE_ prefix
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        // ...
        http.authorizeRequests()
                .anyRequest().hasRole("USER"); // Allow access from user granted USER role
    }

    @Bean
    public UserDetailsService userDetailsService() {
        InMemoryUserDetailsManager userDetailsManager = new InMemoryUserDetailsManager();
        userDetailsManager.createUser(
                User.withUsername("kazuki43zoo")
                        .password("password")
                        .authorities("USER")  // Grant the USER role (without ROLE_ prefix)
                        .build());
        return userDetailsManager;
    }

}

Actual Behavior

If login with the kazuki43zoo, 403 Forbidden error has been occurred.

Whitelabel Error Page

This application has no explicit mapping for /error, so you are seeing this as a fallback.

Wed Nov 16 01:06:38 JST 2016
There was an unexpected error (type=Forbidden, status=403).
Access is denied

Expected Behavior

Can access the specified resource after authentication success. (200 OK)

Version

4.2.0

Workaround

It work as following configuration instead of.

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        // ...
        http.authorizeRequests()
                .anyRequest().access("hasRole('USER')"); // Use the access() instead of hasRole()
    }

Activity

kazuki43zoo

kazuki43zoo commented on Nov 15, 2016

@kazuki43zoo
ContributorAuthor

Related with this, the UserBuilder#roles method append the ROLE_ prefix to granted authority. Is this behavior works as designed ?

    @Bean
    public UserDetailsService userDetailsService() {
        InMemoryUserDetailsManager userDetailsManager = new InMemoryUserDetailsManager();
        userDetailsManager.createUser(
                User.withUsername("kazuki43zoo")
                        .password("password")
                        .roles("USER") // has been append the ROLE_ prefix
//                        .authorities("USER")
                        .build());
        return userDetailsManager;
    }

In this case, we can use the authorities method instead of.

added this to the 4.2.1 milestone on Nov 15, 2016
self-assigned this
on Nov 15, 2016
modified the milestones: 4.2.1, 5.0.0.M1 on Dec 21, 2016
modified the milestones: 5.0.0.M1, 5.0.0.M2 on May 10, 2017
modified the milestones: 5.0.0.M2, 5.0.0.M3 on Jun 15, 2017

24 remaining items

self-assigned this
on Sep 2, 2021
added
in: configAn issue in spring-security-config
and removed on Sep 2, 2021
added a commit that references this issue on Sep 9, 2021
f2b2e60
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

Labels

in: configAn issue in spring-security-configtype: enhancementA general enhancement

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

    Participants

    @rwinch@jeffsheets@BenDol@jzheaux@kazuki43zoo

    Issue actions

      GrantedAuthorityDefaults does not apply on ExpressionInterceptUrlRegistry#hasRole · Issue #4134 · spring-projects/spring-security