Closed
Description
Summary
Since 4.2, we can control the default role prefix(default is ROLE_
) at the single point of definition (gh-3701).
However, it not apply to access control definitions using the ExpressionInterceptUrlRegistry#hasRole()
.
@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Bean
GrantedAuthorityDefaults grantedAuthorityDefaults() {
return new GrantedAuthorityDefaults(""); // Remove the ROLE_ prefix
}
@Override
protected void configure(HttpSecurity http) throws Exception {
// ...
http.authorizeRequests()
.anyRequest().hasRole("USER"); // Allow access from user granted USER role
}
@Bean
public UserDetailsService userDetailsService() {
InMemoryUserDetailsManager userDetailsManager = new InMemoryUserDetailsManager();
userDetailsManager.createUser(
User.withUsername("kazuki43zoo")
.password("password")
.authorities("USER") // Grant the USER role (without ROLE_ prefix)
.build());
return userDetailsManager;
}
}
Actual Behavior
If login with the kazuki43zoo
, 403 Forbidden error has been occurred.
Whitelabel Error Page
This application has no explicit mapping for /error, so you are seeing this as a fallback.
Wed Nov 16 01:06:38 JST 2016
There was an unexpected error (type=Forbidden, status=403).
Access is denied
Expected Behavior
Can access the specified resource after authentication success. (200 OK)
Version
4.2.0
Workaround
It work as following configuration instead of.
@Override
protected void configure(HttpSecurity http) throws Exception {
// ...
http.authorizeRequests()
.anyRequest().access("hasRole('USER')"); // Use the access() instead of hasRole()
}
Activity
kazuki43zoo commentedon Nov 15, 2016
Related with this, the
UserBuilder#roles
method append theROLE_
prefix to granted authority. Is this behavior works as designed ?In this case, we can use the
authorities
method instead of.24 remaining items
Replace static "ROLE_" with customized role prefix