Spring Security remove RoleVoter prefix

Question

In the project I am working we authenticate based on role ids rather than role description and this mapping is stored in the database.

My question is, How do I remove Spring Security's RoleVoter prefix to implement the design as above?

Answer 1

Spring security RoleVoterneeds a prefix in order to distinguish the granted authorities that are roles, see this answer for further details.

If you want to change this, you can always provide your own custom AccessDecisionManager and configure it with a customRoleVoter`.

This is an example of such a custom access decision manager:

public class MyAccessDecisionManager  extends AffirmativeBased {


    public MyAccessDecisionManager() {
        super();
        List<AccessDecisionVoter> decisionVoters = new ArrayList<AccessDecisionVoter>();
        RoleVoter roleVoter = new MyCustomRoleVoter();
        decisionVoters.add(roleVoter);
        AuthenticatedVoter authenticatedVoter = new AuthenticatedVoter();
        decisionVoters.add(authenticatedVoter);
        setDecisionVoters(decisionVoters);

    }

And for using it in place of the default access decision manager:

<bean id="myAccessDecisionManager" class="full.package.name.MyAccessDecisionManager" />

<security:http access-decision-manager-ref="myAccessDecisionManager">
    ...
</security:http>

Answer 2

May be somebody need decision with annotation based for web application

@Configuration
@EnableGlobalMethodSecurity(securedEnabled = true)
protected static class GlobalSecurityConfig extends GlobalMethodSecurityConfiguration {
    @Override
    protected AccessDecisionManager accessDecisionManager() {
        AffirmativeBased accessDecisionManager = (AffirmativeBased)super.accessDecisionManager();
        for(AccessDecisionVoter voter: accessDecisionManager.getDecisionVoters()){
            if(voter instanceof RoleVoter){
                // do what you whant
            }
        }
        return accessDecisionManager;
    }
}



@Configuration
@EnableWebSecurity
protected static class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {
    @Bean
    @Primary
    public AccessDecisionManager accessDecisionManager() {
        List<AccessDecisionVoter<? extends Object>> decisionVoters = Arrays.asList(
                new WebExpressionVoter(),
                new RoleVoter(),
                new AuthenticatedVoter()
        );
        return new AffirmativeBased(decisionVoters);
    }
}