Spring security 4 @PreAuthorize(hasAuthority()) access denied

Question

I am trying to convert a Spring Security 3 @Secured("admin") annotation into Spring Security 4 compatible fashion.

This is my usersService.java

@PreAuthorize("hasAuthority('admin')")
public List<User> getAllUsers() {
    return usersDao.getAllUsers();
}

Then in security-context.xml I have:

<security:intercept-url pattern="/admin" access="permitAll" />
...
<security:global-method-security pre-post-annotations="enabled" />

getAllUsers() is called by a LoginController.java

@RequestMapping("/admin")
public String showAdmin(Model model) {
    List<User> users = usersService.getAllUsers();

    model.addAttribute("users", users);

    return "admin";
}

In mySql database, there are two tables, users and authorities. authorities has 2 columns, username and authority. administrator has authority admin.

Now if I trie to access /admin, I will be redirected to /login, but after I log in with administrator, I still get "access denied".

I think I must have missed something very basic but as I am new to Spring, I could not figure it out. Any help would be appreciated. Thanks.

Update: I tried changing the annotation to @PreAuthorize("hasRole('ROLE_ADMIN')") and I also changed the "authority" column in mySql for admin from "admin" to "ROLE_ADMIN" but it still gives me 403. I did not have much faith on this because before this error, I had to change hasRole('admin') in securityContext.xml to hasAuthority('admin').

Answer 1

You should add in Spring security

@EnableGlobalMethodSecurity(prePostEnabled = true)

Answer 2

Although it's late, nevertheless

hasRole(...) set a prefix for the the content - the default one is ROLE_

hasAuthority(...) checks the content WITHOUT a prefix, i.e. just the pure content

Answer 3

Try this @PreAuthorize("hasRole('ROLE_ADMIN')")