CODEWITHSUNDEEP
javaspringspring-security
D. Wroblewski
D. Wroblewski

Reputation: 7590

How do I use custom roles/authorities in Spring Security?

While migrating a legacy application to spring security I got the following exception:

org.springframework.beans.factory.BeanCreationException: Error creating bean with name '_filterChainProxy': Initialization of bean failed; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name '_filterChainList': Cannot resolve reference to bean '_filterSecurityInterceptor' while setting bean property 'filters' with key [3]; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name '_filterSecurityInterceptor': Invocation of init method failed; nested exception is java.lang.IllegalArgumentException: Unsupported configuration attributes: [superadmin]
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:480)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory$1.run(AbstractAutowireCapableBeanFactory.java:409)
at java.security.AccessController.doPrivileged(Native Method)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:380)
at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:264)

In the old application there are roles like "superadmin", "editor", "helpdesk" etc. But in all Spring Security examples I only see roles like "ROLE_" ("ROLE_ADMIN" etc). When I rename "superadmin" to "ROLE_ADMIN" and only use this role in the config, everything works.

Doesn't work:

 <http auto-config="true">                                      
    <intercept-url pattern="/restricted/**" access="superadmin"/>
    <form-login
        authentication-failure-url="/secure/loginAdmin.do?error=true"
        login-page="/secure/loginAdmin.do" />        
</http>

Works:

<http auto-config="true">                                      
    <intercept-url pattern="/restricted/**" access="ROLE_ADMIN"/>
    <form-login
        authentication-failure-url="/secure/loginAdmin.do?error=true"
        login-page="/secure/loginAdmin.do" />        
</http>

Is possible to use custom role names?

Upvotes: 33

Views: 71691

Answers (5)

user2601995
user2601995

Reputation: 6803

Using Spring Security 3.2, this worked for me.

Change Role Prefix:

<beans:bean id="roleVoter" class="org.springframework.security.access.vote.RoleVoter">
    <beans:property name="rolePrefix" value="NEW_PREFIX_"/>
</beans:bean>

<beans:bean id="authenticatedVoter" class="org.springframework.security.access.vote.AuthenticatedVoter"/>   

<beans:bean id="accessDecisionManager" class="org.springframework.security.access.vote.AffirmativeBased">
    <beans:constructor-arg >
        <beans:list>
            <beans:ref bean="roleVoter"/>
            <beans:ref bean="authenticatedVoter"/>
        </beans:list>
    </beans:constructor-arg>
</beans:bean>

Depending on where you want to apply the Role Prefix it can be applied at the Security schema level or bean level.

<http access-decision-manager-ref="accessDecisionManager" use-expressions="true">

Apply Role Prefix at Service Level:

<beans:bean id="myService" class="com.security.test">
    <security:intercept-methods  access-decision-manager-ref="accessDecisionManager">
        <security:protect access="NEW_PREFIX_ADMIN"/>
    </security:intercept-methods>
</beans:bean>

Upvotes: 2

rodrigoap
rodrigoap

Reputation: 7480

You are using the default configuration which expects that roles starts with the "ROLE_" prefix. You will have to add a custom security configuration and set rolePrefix to "";

http://forum.springsource.org/archive/index.php/t-53485.html

Upvotes: 41

btpka3
btpka3

Reputation: 3830

You can also always using expression (by config use-expressions="true") to ignore ROLE_ prefix.

After reading Spring Security 3.1 source code, I found when use-expressions="true" :

For <security:http >:
HttpConfigurationBuilder#createFilterSecurityInterceptor() will regist WebExpressionVoter but not RoleVoterAuthenticatedVoter;

For <security:global-method-security >: GlobalMethodSecurityBeanDefinitionParser#registerAccessManager() will regist PreInvocationAuthorizationAdviceVoter (conditionally), then always regist RoleVoterAuthenticatedVoter, regist Jsr250Voter conditionally;

PreInvocationAuthorizationAdviceVoter will process PreInvocationAttribute (PreInvocationExpressionAttribute will be used as implementation) which is generated according @PreAuthorize. PreInvocationExpressionAttribute#getAttribute() always return null, so RoleVoterAuthenticatedVoter do not vote it.

Upvotes: 7

Tomas Romero
Tomas Romero

Reputation: 8698

This might also help:

http://forum.springsource.org/showthread.php?96391-Spring-Security-Plug-in-ROLE_-prefix-mandatory

Bassically, it says you have to write in grails-app/conf/spring/resources.groovy:

roleVoter(org.springframework.security.access.vote.RoleVoter) {
    rolePrefix = ''
}

It worked for me.

Upvotes: 1

Tomasz Nurkiewicz
Tomasz Nurkiewicz

Reputation: 340733

Here is a complete configuration using access expressions (link provided by @rodrigoap seems a little bit outdated):

<http
        access-decision-manager-ref="accessDecisionManager"
        use-expressions="true">

<beans:bean id="accessDecisionManager" class="org.springframework.security.access.vote.AffirmativeBased">
    <beans:property name="decisionVoters">
        <beans:list>
            <beans:bean class="org.springframework.security.web.access.expression.WebExpressionVoter"/>
            <beans:bean class="org.springframework.security.access.vote.RoleVoter">
                <beans:property name="rolePrefix" value=""/>
            </beans:bean>
            <beans:bean class="org.springframework.security.access.vote.AuthenticatedVoter"/>
        </beans:list>
    </beans:property>
</beans:bean>

Upvotes: 11

Related Questions