Spring Security remove RoleVoter prefix

Question

In the project I am working we authenticate based on role ids rather than role description and this mapping is stored in the database.

My question is, How do I remove Spring Security's RoleVoter prefix to implement the design as above?

Answer 1

Alternative is to avoid prefix on attributes, for example for LDAP:

@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        final LdapAuthenticationProviderConfigurer<AuthenticationManagerBuilder> ldapConfigurer = auth.ldapAuthentication();
        ldapConfigurer.rolePrefix("");
    }
}

To avoid using of ROLE_ prefix by RoleVoter define own GrantedAuthorityDefaults:

@EnableGlobalMethodSecurity(securedEnabled = true)
@Configuration
public class SecurityConfig {
    /** Reset prefix to be empty. */
    @Bean
    public GrantedAuthorityDefaults grantedAuthorityDefaults() {
        return new GrantedAuthorityDefaults("");
    }
}

See How do I remove the ROLE_ prefix from Spring Security with JavaConfig?

Answer 2

Since Spring 4 replace hasRole("X") with hasAuthority("X").

https://docs.spring.io/autorepo/docs/spring-security/4.0.0.RC1/reference/html/el-access.html

Answer 3

May be somebody need decision with annotation based for web application

@Configuration
@EnableGlobalMethodSecurity(securedEnabled = true)
protected static class GlobalSecurityConfig extends GlobalMethodSecurityConfiguration {
    @Override
    protected AccessDecisionManager accessDecisionManager() {
        AffirmativeBased accessDecisionManager = (AffirmativeBased)super.accessDecisionManager();
        for(AccessDecisionVoter voter: accessDecisionManager.getDecisionVoters()){
            if(voter instanceof RoleVoter){
                // do what you whant
            }
        }
        return accessDecisionManager;
    }
}



@Configuration
@EnableWebSecurity
protected static class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {
    @Bean
    @Primary
    public AccessDecisionManager accessDecisionManager() {
        List<AccessDecisionVoter<? extends Object>> decisionVoters = Arrays.asList(
                new WebExpressionVoter(),
                new RoleVoter(),
                new AuthenticatedVoter()
        );
        return new AffirmativeBased(decisionVoters);
    }
}

Answer 4

Spring security RoleVoterneeds a prefix in order to distinguish the granted authorities that are roles, see this answer for further details.

If you want to change this, you can always provide your own custom AccessDecisionManager and configure it with a customRoleVoter`.

This is an example of such a custom access decision manager:

public class MyAccessDecisionManager  extends AffirmativeBased {


    public MyAccessDecisionManager() {
        super();
        List<AccessDecisionVoter> decisionVoters = new ArrayList<AccessDecisionVoter>();
        RoleVoter roleVoter = new MyCustomRoleVoter();
        decisionVoters.add(roleVoter);
        AuthenticatedVoter authenticatedVoter = new AuthenticatedVoter();
        decisionVoters.add(authenticatedVoter);
        setDecisionVoters(decisionVoters);

    }

And for using it in place of the default access decision manager:

<bean id="myAccessDecisionManager" class="full.package.name.MyAccessDecisionManager" />

<security:http access-decision-manager-ref="myAccessDecisionManager">
    ...
</security:http>