Reputation: 1185
Spring Security roles should always be prefixed with ROLE?
In our application we are using Spring Security and we observed that if the role names are not prefixed with ROLE , it does not work.
Our roles are configured in DB and there is no restriction on the name given to a role.
Is there any work around to avoid the ROLE prefix to roles?
Upvotes: 1
Views: 549
Answers (2)
Reputation: 1727
As for me, I haven't noticed this behavior.
In my project I'm using Spring Security 3.1.4.RELEASE with Spring 3.2.3.RELEASE. And my securityContext.xml contains the following lines:
<security:http auto-config="false" use-expressions="true" access-denied-page="/denied.do"
entry-point-ref="authenticationEntryPoint">
<security:intercept-url pattern="/index.do" access="hasAnyRole('PROJECT_REVIEW', 'PROJECT_ADMINISTRATOR')"/>
<!-- Skipped -->
<security:intercept-url pattern="/**" access="hasAnyRole('PROJECT_REVIEW', 'PROJECT_ADMINISTRATOR')"/>
<!-- Skipped -->
</security:http>
So, I'm using my custom roles PROJECT_REVIEW, PROJECT_ADMINISTRATOR. And it works fine.
Could you please tell what error do you get?
Upvotes: 1
Reputation: 7812
You can find a solution here: Spring Security – adding a custom Role Prefix, according to which you just need to configure the RoleVoter:
<beans:bean id="roleVoter" class="org.springframework.security.access.vote.RoleVoter">
<beans:property name="rolePrefix" value="" />
</beans:bean>
See also Spring Security Role Prefix and Custom User Details Service.
Upvotes: 1
Related Questions
- Spring security added prefix "ROLE_" to all roles name?
- Spring Security ROLE_ prefix no longer needed?
- Spring security doesn't match a given role
- Spring Security Role Prefix and Custom User Details Service
- When should I prefix ROLE_ with Spring Security?
- Spring Security role hierarchy @Secured JavaConfig
- What's the best way to support the "ROLE_" prefix for Spring Security?
- Impact of not using ROLE_ prefix in spring security framework
- spring security roles issues
- Spring security roles