CODEWITHSUNDEEP
springsecurityspring-mvcspring-security
user2259555
user2259555

Reputation: 233

Spring Security Authorization - Admin is denied access

The authorization for the role admin is being denied access to the whole system - the admin and home pages. So I added ROLE_ADMIN to the /main/home intercept-url.

This is the security xml

<http auto-config="true" use-expressions="true">

<intercept-url pattern="/**" requires-channel="https" />
<intercept-url pattern='/main/home/' access="hasRole('ROLE_USER' 'ROLE_ADMIN')" />
<intercept-url pattern='/admin/admin/**' access="hasRole('ROLE_ADMIN')" />
<intercept-url pattern='/main/user/setter/settingpage' access="hasRole('ROLE_USER')" />
<intercept-url pattern='/main/user/setter/addpage' access="hasRole('ROLE_USER')" />
<intercept-url pattern='/login.jsp' access='IS_AUTHENTICATED_ANONYMOUSLY' /> 

<form-login login-page="/login.jsp" default-target-url="/main/home" authentication-failure-url="/auth/loginfail?error=true"/>

</http>

But that made the whole program stop working as When I run the code as it is the error is

Failed to parse expression 'hasRole('ROLE_USER' 'ROLE_ADMIN')'

When I do remove the ROLE_ADMIN the system works and can authenticate users just not the ROLE_ADMIN who is now being denied access to all pages. In the db I have set up the roles and it was working until recently.

Upvotes: 6

Views: 10820

Answers (2)

Trong Tran
Trong Tran

Reputation: 686

SpEL: Spring Expression Language

access="hasRole('ROLE_USER') and hasRole('ROLE_ADMIN')"

also:

access="hasRole('USER_ADMIN') and hasIpAddress('192.168.1.10')"

Upvotes: 0

Lion
Lion

Reputation: 19037

As the error message indicates,

Failed to parse expression 'hasRole('ROLE_USER' 'ROLE_ADMIN')

You need to use hasAnyRole() with a comma separated list of authorities.

Returns true if the current principal has any of the supplied roles (given as a comma-separated list of strings), see

So change 

<intercept-url pattern='/main/home/' access="hasRole('ROLE_USER' 'ROLE_ADMIN')" />

to 

<intercept-url pattern='/main/home/' access="hasAnyRole('ROLE_USER', 'ROLE_ADMIN')" />

Since, you have set use-expressions to true, you need to change 

IS_AUTHENTICATED_ANONYMOUSLY

to 

isAnonymous()

Upvotes: 15

Related Questions