How do I use custom roles/authorities in Spring Security?


How do I use custom roles/authorities in Spring Security?



While migrating a legacy application to spring security I got the following exception:

org.springframework.beans.factory.BeanCreationException: Error creating bean with name '_filterChainProxy': Initialization of bean failed; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name '_filterChainList': Cannot resolve reference to bean '_filterSecurityInterceptor' while setting bean property 'filters' with key [3]; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name '_filterSecurityInterceptor': Invocation of init method failed; nested exception is java.lang.IllegalArgumentException: Unsupported configuration attributes: [superadmin] at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:480) at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory$1.run(AbstractAutowireCapableBeanFactory.java:409) at java.security.AccessController.doPrivileged(Native Method) at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:380) at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:264) 

In the old application there are roles like "superadmin", "editor", "helpdesk" etc. But in all Spring Security examples I only see roles like "ROLE_" ("ROLE_ADMIN" etc). When I rename "superadmin" to "ROLE_ADMIN" and only use this role in the config, everything works.

Doesn't work:

 <http auto-config="true">                                           <intercept-url pattern="/restricted/**" access="superadmin"/>     <form-login         authentication-failure-url="/secure/loginAdmin.do?error=true"         login-page="/secure/loginAdmin.do" />         </http> 

Works:

<http auto-config="true">                                           <intercept-url pattern="/restricted/**" access="ROLE_ADMIN"/>     <form-login         authentication-failure-url="/secure/loginAdmin.do?error=true"         login-page="/secure/loginAdmin.do" />         </http> 

Is possible to use custom role names?




Spring AOP vs AspectJ

1:



How to execute method using spring beans
You are using the default configuration which expects that roles starts with the "ROLE_" prefix.


Why Spring Framework? [closed]
You will have to add a custom security configuration and set rolePrefix to "";.
jBPM + Spring transactions sharing and scope
http://forum.springsource.org/archive/index.php/t-53485.html.
Problem with spring quartz


Hibernate takes 10 mins to throw exception when database is down


Hibernate Exception

2:



Is it possible to send more data in form based authentication in Spring?
Here is a complete configuration using access expressions (link provided by @rodrigoap seems a little bit outdated):.
<http         access-decision-manager-ref="accessDecisionManager"         use-expressions="true">  <beans:bean id="accessDecisionManager" class="org.springframework.security.access.vote.AffirmativeBased">     <beans:property name="decisionVoters">         <beans:list>             <beans:bean class="org.springframework.security.web.access.expression.WebExpressionVoter"/>             <beans:bean class="org.springframework.security.access.vote.RoleVoter">                 <beans:property name="rolePrefix" value=""/>             </beans:bean>             <beans:bean class="org.springframework.security.access.vote.AuthenticatedVoter"/>         </beans:list>     </beans:property> </beans:bean> 


3:


You can also always using expression (by config use-expressions="true") to ignore ROLE_ prefix.

. After reading Spring Security 3.1 source code, I found when use-expressions="true" : . For <security:http >:
HttpConfigurationBuilder#createFilterSecurityInterceptor() will regist WebExpressionVoter but not RoleVoterAuthenticatedVoter; . For <security:global-method-security >: GlobalMethodSecurityBeanDefinitionParser#registerAccessManager() will regist PreInvocationAuthorizationAdviceVoter (conditionally), then always regist RoleVoterAuthenticatedVoter, regist Jsr250Voter conditionally;. PreInvocationAuthorizationAdviceVoter will process PreInvocationAttribute (PreInvocationExpressionAttribute will be used as implementation) which is generated according @PreAuthorize.

PreInvocationExpressionAttribute#getAttribute() always return null, so RoleVoterAuthenticatedVoter do not vote it..


4:


Using Spring Security 3.2, this worked for me.

. Change Role Prefix:.
<beans:bean id="roleVoter" class="org.springframework.security.access.vote.RoleVoter">     <beans:property name="rolePrefix" value="NEW_PREFIX_"/> </beans:bean>  <beans:bean id="authenticatedVoter" class="org.springframework.security.access.vote.AuthenticatedVoter"/>     <beans:bean id="accessDecisionManager" class="org.springframework.security.access.vote.AffirmativeBased">     <beans:constructor-arg >         <beans:list>             <beans:ref bean="roleVoter"/>             <beans:ref bean="authenticatedVoter"/>         </beans:list>     </beans:constructor-arg> </beans:bean> 
Depending on where you want to apply the Role Prefix it can be applied at the Security schema level or bean level..
<http access-decision-manager-ref="accessDecisionManager" use-expressions="true"> 
Apply Role Prefix at Service Level:.
<beans:bean id="myService" class="com.security.test">     <security:intercept-methods  access-decision-manager-ref="accessDecisionManager">         <security:protect access="NEW_PREFIX_ADMIN"/>     </security:intercept-methods> </beans:bean> 


5:


This might also help:. http://forum.springsource.org/showthread.php?96391-Spring-Security-Plug-in-ROLE_-prefix-mandatory. Bassically, it says you have to write in grails-app/conf/spring/resources.groovy:.
roleVoter(org.springframework.security.access.vote.RoleVoter) {     rolePrefix = '' } 
It worked for me..



94 out of 100 based on 64 user ratings 814 reviews

*