Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Spring security added prefix "ROLE_" to all roles name?

I have this code in my Web Security Config:

 @Override protected void configure(HttpSecurity http) throws Exception {     http             .authorizeRequests()             .antMatchers("/api/**")             .hasRole("ADMIN")             .and()             .httpBasic().and().csrf().disable();  } 

So I added an user with "ADMIN" role in my database and I always get 403 error when I tryed loggin with this user, then I enabled log for spring and I found this line:

2015-10-18 23:13:24.112 DEBUG 4899 --- [nio-8080-exec-1] o.s.s.w.a.i.FilterSecurityInterceptor    : Secure object: FilterInvocation: URL: /api/user/login; Attributes: [hasRole('ROLE_ADMIN')] 

Why Spring Security is looking for "ROLE_ADMIN" instead "ADMIN"?

like image 418
Gustavo Rozolin Avatar asked Oct 19 '15 01:10

Gustavo Rozolin


People also ask

What is Ant matchers in Spring Security?

The antMatchers() is a Springboot HTTP method used to configure the URL paths from which the Springboot application security should permit requests based on the user's roles. The antmatchers() method is an overloaded method that receives both the HTTP request methods and the specific URLs as its arguments.


1 Answers

Spring security adds the prefix "ROLE_" by default.

If you want this removed or changed, take a look at

How to change role from interceptor-url?

EDIT: found this as well: Spring Security remove RoleVoter prefix

like image 73
jmcg Avatar answered Sep 18 '22 12:09

jmcg