mpiffault
Reputation: 429
Spring security intercept-url with combined multiple roles
I am quite new to Spring and meet some difficulties configuring Spring security rules.
Here are my rules :
<intercept-url pattern="/administration/**" access="ROLE_ADMINISTRATION" />
<intercept-url pattern="/programmation/**" access="ROLE_ADMINISTRATION, ROLE_SAISIE, ROLE_CONSULTATION" />
<intercept-url pattern="/programmation/validate" access="hasAnyRole('ROLE_ADMINISTRATION', 'ROLE_SAISIE', 'ROLE_CONSULTATION') and hasAnyRole('ROLE_NATIONAL', 'ROLE_REGIONAL')" />
<intercept-url pattern="/restitution/**" access="ROLE_ADMINISTRATION, ROLE_RESTITUTION" />
<intercept-url pattern="/**" access="ROLE_ADMINISTRATION, ROLE_SAISIE, ROLE_CONSULTATION, ROLE_RESTITUTION" />
I just added the third one, and when starting the server, it yield a quite strange Exception from my point of view :
java.lang.IllegalArgumentException: Unsupported configuration attributes: [hasAnyRole('ROLE_ADMINISTRATION', 'ROLE_CONSULTATION') and hasAnyRole('ROLE_NATIONAL', 'ROLE_REGIONAL'), 'ROLE_SAISIE']
at org.springframework.security.access.intercept.AbstractSecurityInterceptor.afterPropertiesSet(AbstractSecurityInterceptor.java:156) [spring-security-core-3.2.5.RELEASE.jar:3.2.5.RELEASE]
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.invokeInitMethods(AbstractAutowireCapableBeanFactory.java:1612) [spring-beans-4.0.1.RELEASE.jar:4.0.1.RELEASE]
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1549) [spring-beans-4.0.1.RELEASE.jar:4.0.1.RELEASE]
... 49 more
As you can see, it come from
hasAnyRole('ROLE_ADMINISTRATION', 'ROLE_SAISIE', 'ROLE_CONSULTATION') and hasAnyRole('ROLE_NATIONAL', 'ROLE_REGIONAL')
to
hasAnyRole('ROLE_ADMINISTRATION', 'ROLE_CONSULTATION') and hasAnyRole('ROLE_NATIONAL', 'ROLE_REGIONAL'), 'ROLE_SAISIE'
I suppose there is a kind of bad interraction between the rules, but I can't figure out what happens exactly.
Upvotes: 1
Views: 6398
Answers (1)
Alexey Semenyuk
Reputation: 3303
Try to set for parent's tag <http> attribute use-expressions="true", should be something like this:
<http use-expressions="true">
<intercept-url pattern="/administration/**" access="ROLE_ADMINISTRATION" />
<intercept-url pattern="/programmation/**" access="ROLE_ADMINISTRATION, ROLE_SAISIE, ROLE_CONSULTATION" />
....
Upvotes: 2
Related Questions
- Spring Security Limiting URL access by roles
- Spring security role-based URL
- How to integrate Spring Security for Role based url/method access
- Spring Security 3 specify multiple intercept-url access roles
- spring security intercept-url access
- How to use intercept-url pattern and access?
- Spring Security intercept url appears to be skipped/ignored
- spring security intercept url roles
- Spring Security 3.1 intercept urls
- Intercept-url for all_user and role_user