Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How do I use custom roles/authorities in Spring Security?

While migrating a legacy application to spring security I got the following exception:

org.springframework.beans.factory.BeanCreationException: Error creating bean with name '_filterChainProxy': Initialization of bean failed; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name '_filterChainList': Cannot resolve reference to bean '_filterSecurityInterceptor' while setting bean property 'filters' with key [3]; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name '_filterSecurityInterceptor': Invocation of init method failed; nested exception is java.lang.IllegalArgumentException: Unsupported configuration attributes: [superadmin] at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:480) at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory$1.run(AbstractAutowireCapableBeanFactory.java:409) at java.security.AccessController.doPrivileged(Native Method) at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:380) at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:264) 

In the old application there are roles like "superadmin", "editor", "helpdesk" etc. But in all Spring Security examples I only see roles like "ROLE_" ("ROLE_ADMIN" etc). When I rename "superadmin" to "ROLE_ADMIN" and only use this role in the config, everything works.

Doesn't work:

 <http auto-config="true">                                           <intercept-url pattern="/restricted/**" access="superadmin"/>     <form-login         authentication-failure-url="/secure/loginAdmin.do?error=true"         login-page="/secure/loginAdmin.do" />         </http>  

Works:

<http auto-config="true">                                           <intercept-url pattern="/restricted/**" access="ROLE_ADMIN"/>     <form-login         authentication-failure-url="/secure/loginAdmin.do?error=true"         login-page="/secure/loginAdmin.do" />         </http>  

Is possible to use custom role names?

like image 722
D. Wroblewski Avatar asked Jun 12 '09 14:06

D. Wroblewski


People also ask

How do I use authorities in Spring Security?

Role as Authority Similarly, in Spring Security, we can think of each Role as a coarse-grained GrantedAuthority that is represented as a String and prefixed with “ROLE“. When using a Role directly, such as through an expression like hasRole(“ADMIN”), we are restricting access in a coarse-grained manner.

Which class in Spring Security framework is used to define role?

The UserDetailsService is a core interface in Spring Security framework, which is used to retrieve the user's authentication and authorization information. This interface is also responsible to provide the User's GrantedAuthority list, which is used to derive our spring security roles and permissions for the user.


2 Answers

You are using the default configuration which expects that roles starts with the "ROLE_" prefix. You will have to add a custom security configuration and set rolePrefix to "";

http://forum.springsource.org/archive/index.php/t-53485.html

like image 172
rodrigoap Avatar answered Sep 28 '22 07:09

rodrigoap


Here is a complete configuration using access expressions (link provided by @rodrigoap seems a little bit outdated):

<http         access-decision-manager-ref="accessDecisionManager"         use-expressions="true">  <beans:bean id="accessDecisionManager" class="org.springframework.security.access.vote.AffirmativeBased">     <beans:property name="decisionVoters">         <beans:list>             <beans:bean class="org.springframework.security.web.access.expression.WebExpressionVoter"/>             <beans:bean class="org.springframework.security.access.vote.RoleVoter">                 <beans:property name="rolePrefix" value=""/>             </beans:bean>             <beans:bean class="org.springframework.security.access.vote.AuthenticatedVoter"/>         </beans:list>     </beans:property> </beans:bean> 
like image 35
Tomasz Nurkiewicz Avatar answered Sep 28 '22 06:09

Tomasz Nurkiewicz