Spring Security Authorization - Admin is denied access

Question

The authorization for the role admin is being denied access to the whole system - the admin and home pages. So I added ROLE_ADMIN to the /main/home intercept-url.

This is the security xml

<http auto-config="true" use-expressions="true">

<intercept-url pattern="/**" requires-channel="https" />
<intercept-url pattern='/main/home/' access="hasRole('ROLE_USER' 'ROLE_ADMIN')" />
<intercept-url pattern='/admin/admin/**' access="hasRole('ROLE_ADMIN')" />
<intercept-url pattern='/main/user/setter/settingpage' access="hasRole('ROLE_USER')" />
<intercept-url pattern='/main/user/setter/addpage' access="hasRole('ROLE_USER')" />
<intercept-url pattern='/login.jsp' access='IS_AUTHENTICATED_ANONYMOUSLY' /> 

<form-login login-page="/login.jsp" default-target-url="/main/home" authentication-failure-url="/auth/loginfail?error=true"/>

</http>  

But that made the whole program stop working as When I run the code as it is the error is

Failed to parse expression 'hasRole('ROLE_USER' 'ROLE_ADMIN')'

When I do remove the ROLE_ADMIN the system works and can authenticate users just not the ROLE_ADMIN who is now being denied access to all pages. In the db I have set up the roles and it was working until recently.

Answer 1

As the error message indicates,

Failed to parse expression 'hasRole('ROLE_USER' 'ROLE_ADMIN')

You need to use hasAnyRole() with a comma separated list of authorities.

Returns true if the current principal has any of the supplied roles (given as a comma-separated list of strings), see

So change

<intercept-url pattern='/main/home/' access="hasRole('ROLE_USER' 'ROLE_ADMIN')" />

to

<intercept-url pattern='/main/home/' access="hasAnyRole('ROLE_USER', 'ROLE_ADMIN')" />

---

Since, you have set use-expressions to true, you need to change

IS_AUTHENTICATED_ANONYMOUSLY

to

isAnonymous()