Spring Security does not work with "hasRole('ROLE_ADMIN')" or ROLE_ADMIN

Question

I am using Spring Security version 4.1. If I specify access="hasRole('ROLE_ADMIN')" or access="ROLE_ADMIN" in the security configuration, I am able to login, but I am unable to access my admin page.

<security:http use-expressions="true">
    <security:intercept-url pattern="/admin/**" access="hasRole('ROLE_ADMIN')" />
    <!-- security:intercept-url pattern="/admin" access="hasRole('ROLE_ADMIN')" / -->
    <security:intercept-url pattern="/createmanufsensors" access="isAuthenticated()" />
</security:http>
<security:global-method-security secured-annotations="enabled"></security:global-method-security>

Below is the debug error:

DEBUG [http-bio-8080-exec-10] [org.springframework.security.web.access.intercept.FilterSecurityInterceptor] Secure object: FilterInvocation: URL: /admin; Attributes: [hasRole('ROLE_ADMIN')]     
2016-06-25 10:07:53,667 [] DEBUG [http-bio-8080-exec-10] [org.springframework.security.web.access.intercept.FilterSecurityInterceptor] Previously Authenticated: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@cc305a73: Principal: org.springframework.security.core.userdetails.User@74b46745: Username: francatore                                                  ; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_ADMIN                                ; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@166c8: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 7F702A6911A71EA5556C750B6D424FF5; Granted Authorities: ROLE_ADMIN                                   
2016-06-25 10:07:53,667 [] DEBUG [http-bio-8080-exec-10] [org.springframework.security.access.vote.AffirmativeBased] Voter: org.springframework.security.web.access.expression.WebExpressionVoter@170ea084, returned: -1
2016-06-25 10:07:53,668 [] DEBUG [http-bio-8080-exec-10] [org.springframework.security.web.access.ExceptionTranslationFilter] Access is denied (user is not anonymous); delegating to AccessDeniedHandler

What could I possibly be missing?

Answer 1

I have a small explanation for this. Here you are authenticated as a normal user but not authorized to view the admin page.

If you are using access="hasRole('ROLE_ADMIN')" expression, then the Spring EL class (i.e SecurityExpressionRoot) will add the prefix ROLE_ to every role that we have provide in hasRole() expression. So in your case the role you have provided in hasRole('ROLE_ADMIN') resolves to ROLE_ROLE_ADMIN.

Thats why you are authenticated as a user who has ROLE_ADMIN. But to the Spring Security framework to view the admin page the user must have the role of ROLE_ROLE_ADMIN (because the SecurityExpressionRoot class added ROLE_ prefix).

So for this remove that ROLE_ prefix in your code, i.e here access="hasRole('ADMIN')" So, Spring Security will add that ROLE_ prefix automatically. And make sure that you have specified your admin role in database as ROLE_ADMIN.