Spring Security @RolesAllowed Works but @Secured gives me AccessDeniedException in Spring 3.2 with Spring Security 3.1

Question

I am having an issue where my Controller method with @RolesAllowed works correctly but if I try to use @Secured I get an AccessDeniedException. While I would prefer to use the @RolesAllowed Annotation it has been declared that for this project we should Use @Secured because the name is less confusing when mapped to our legacy access rights.

I have the annotation configured as follows:

<security:global-method-security jsr250-annotations="enabled" secured-annotations="enabled" pre-post-annotations="enabled" />

When I use @RolesAllowed("COMPANY_SEE_REPORTS") which my user has, it works correctly. When I use @Secured("COMPANY_SEE_REPORTS") I get an AccessDeniedException. Just to make sure @RolesAllowed was working correctly I changed the role to a role that didn't exist and at that point @RolesAllowed threw. So my question is how can I get @Secured to work correctly?

Answer 1

Try to use a security role with a name that ends with ROLE

From Spring Security Reference:

RoleVoter

The most commonly used AccessDecisionVoter provided with Spring Security is the simple RoleVoter, which treats configuration attributes as simple role names and votes to grant access if the user has been assigned that role.

It will vote if any ConfigAttribute begins with the prefix ROLE_. It will vote to grant access if there is a GrantedAuthority which returns a String representation (via the getAuthority() method) exactly equal to one or more ConfigAttributes starting with the prefix ROLE_. If there is no exact match of any ConfigAttribute starting with ROLE_, the RoleVoter will vote to deny access. If no ConfigAttribute begins with ROLE_, the voter will abstain.

But you can modify the RoleVoter prefix RoleVoter#setRolePrefix(String rolePrefix)