Reputation: 800
Multiple roles definition in Spring Security
I have the following roles definition in Spring Security 4.2.5:
<security:http>
<security:intercept-url pattern="/api/doSomething*"
access="ROLE_SOMETHING_COMPLETELY_DIFFERENT,ROLE_ONE,ROLE_TWO"/>
<security:form-login />
<security:logout />
</security:http>
and context fails to load due to the following exception:
Caused by: java.lang.IllegalArgumentException: Failed to parse expression "ROLE_SOMETHING_COMPLETELY_DIFFERENT,ROLE_ONE,ROLE_TWO"
at org.springframework.security.web.access.expression.ExpressionBasedFilterInvocationSecurityMetadataSource.processMap(ExpressionBasedFilterInvocationSecurityMetadataSource.java:84)
at org.springframework.security.web.access.expression.ExpressionBasedFilterInvocationSecurityMetadataSource.<init>(ExpressionBasedFilterInvocationSecurityMetadataSource.java:53)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
at org.springframework.beans.BeanUtils.instantiateClass(BeanUtils.java:142)
... 79 more
I am upgrading from Spring Security 3.2 where the aforementioned snippet was working just fine. The following do not work:
access="ROLE_SOMETHING_COMPLETELY_DIFFERENT,ROLE_ONE,ROLE_TWO"access="ROLE_SOMETHING_COMPLETELY_DIFFERENT, ROLE_ONE, ROLE_TWO"access='ROLE_SOMETHING_COMPLETELY_DIFFERENT,ROLE_ONE,ROLE_TWO'access='ROLE_SOMETHING_COMPLETELY_DIFFERENT, ROLE_ONE, ROLE_TWO'
Nevertheless, this works:
access="hasAnyRole('ROLE_SOMETHING_COMPLETELY_DIFFERENT','ROLE_ONE','ROLE_TWO')
There is no indication, at least from what I have already read, in the Spring Security documentation that such kind of arguments in access tag are unparseable. On the contrary there are a lot of examples using the exact same syntax.
I would like to keep the same syntax in the access fields since there are a lot of them in the project's access management configuration.
EDIT: Using 4.3.15 Spring Core version.
Upvotes: 0
Views: 604
Answers (1)
Reputation: 16992
Spring Security 4.x changed the default value of http element's use-expressions attribute . See Migrating from Spring Security 3.x to 4.x (XML Configuration):
6.2. Migrate
The http@use-expressions attribute’s default value changed from false to true. This means if the use-expression attribute is not explicitly configured, then the configuration will need updated. For example, if an application using Spring Security 3.2.x contains a configuration similar to the following:
Spring Security 3.2.x Sample Configuration
<http> <intercept-url pattern="/login" access="ROLE_ANONYMOUS"/> <intercept-url pattern="/**" access="ROLE_USER"/> ... </http>Observe that the use-expressions attribute is not provided. If it were provided, then nothing needs to be done. The configuration will need to be updated to something similar to the following when Spring Security 4.x:
Migration to Spring Security 4 Configuration
<http use-expressions="false"> <intercept-url pattern="/login" access="ROLE_ANONYMOUS"/> <intercept-url pattern="/**" access="ROLE_USER"/> ... </http>We explicitly provide the use-expressions attribute. Again, if the attribute was already provided, then nothing needs to be done.
Upvotes: 2
Related Questions
- Spring Security and multiple hierarchical roles
- Spring security access with multiple roles
- Spring security : Multiple roles for a single user
- Single Role Spring Security Implementation
- Spring Security two roles implementation
- SecurityConfig for two Roles
- Spring Security one role different permissions
- Are multiple roles allowed in the @Secured annotation with Spring Security
- Spring security roles
- Defining Spring Security user roles