Spring Security ROLE_ prefix no longer needed?

Question

I was investigating on how to create custom role prefix until I realized that it doesn't matter. As long as my role from my db matches something like:

<security:intercept-url pattern="/person/myProfile/**" access= "hasRole('BlaBla')" />

And it is not example, in db I literally set up role BlaBla to test and it works.

I don't like when I get different behavior - many people had problem of setting up custom prefix to create custom role. What happens in here and should I expect hidden rocks?

I have 3.0.7 release. And in my query for authorities I don't have 'default' values... Is it caused by version?

Answer 1

Probably you're using:

 <http use-expressions="true"> 

that configures a WebExpressionVoter which will vote true for the users who have the granted authority "BlaBla" (in your case)

Remember that the Authorization for a secured object (an URL for instance) is performed by an AccessDecisionManager.

There are three concrete AccessDecisionManagers: affirmative, consensus and unanonimous.

For taking the decissions, they use a list of AccessDecissionVoters.

RoleVoter, the one that you expected, that has the rolePrefix configurable (ROLE_ by default), AuthenticatdVoter and the new WebExpressionVoter.

Don't forget that the combination of the AccessDecissionManager and its Voters could allow or deny the permission in a way that you'd think ilogical.

And I recommend you to debug the requests to see if the URL and the pattern matches as you expected.