How do I use custom roles/authorities in Spring Security?

How do I use custom roles/authorities in Spring Security?

While migrating a legacy application to spring security I got the following exception:

org.springframework.beans.factory.BeanCreationException: Error creating bean with name '_filterChainProxy': Initialization of bean failed; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name '_filterChainList': Cannot resolve reference to bean '_filterSecurityInterceptor' while setting bean property 'filters' with key [3]; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name '_filterSecurityInterceptor': Invocation of init method failed; nested exception is java.lang.IllegalArgumentException: Unsupported configuration attributes: [superadmin] at at$ at Method) at at$1.getObject( 

In the old application there are roles like "superadmin", "editor", "helpdesk" etc. But in all Spring Security examples I only see roles like "ROLE_" ("ROLE_ADMIN" etc). When I rename "superadmin" to "ROLE_ADMIN" and only use this role in the config, everything works.

Doesn't work:

 <http auto-config="true">                                           <intercept-url pattern="/restricted/**" access="superadmin"/>     <form-login         authentication-failure-url="/secure/"         login-page="/secure/" />         </http> 


<http auto-config="true">                                           <intercept-url pattern="/restricted/**" access="ROLE_ADMIN"/>     <form-login         authentication-failure-url="/secure/"         login-page="/secure/" />         </http> 

Is possible to use custom role names?

Spring AOP vs AspectJ


How to execute method using spring beans
You are using the default configuration which expects that roles starts with the "ROLE_" prefix.

Why Spring Framework? [closed]
You will have to add a custom security configuration and set rolePrefix to "";.
jBPM + Spring transactions sharing and scope
Problem with spring quartz

Hibernate takes 10 mins to throw exception when database is down

Hibernate Exception


Is it possible to send more data in form based authentication in Spring?
Here is a complete configuration using access expressions (link provided by @rodrigoap seems a little bit outdated):.
<http         access-decision-manager-ref="accessDecisionManager"         use-expressions="true">  <beans:bean id="accessDecisionManager" class="">     <beans:property name="decisionVoters">         <beans:list>             <beans:bean class=""/>             <beans:bean class="">                 <beans:property name="rolePrefix" value=""/>             </beans:bean>             <beans:bean class=""/>         </beans:list>     </beans:property> </beans:bean> 


You can also always using expression (by config use-expressions="true") to ignore ROLE_ prefix.

. After reading Spring Security 3.1 source code, I found when use-expressions="true" : . For <security:http >:
HttpConfigurationBuilder#createFilterSecurityInterceptor() will regist WebExpressionVoter but not RoleVoterAuthenticatedVoter; . For <security:global-method-security >: GlobalMethodSecurityBeanDefinitionParser#registerAccessManager() will regist PreInvocationAuthorizationAdviceVoter (conditionally), then always regist RoleVoterAuthenticatedVoter, regist Jsr250Voter conditionally;. PreInvocationAuthorizationAdviceVoter will process PreInvocationAttribute (PreInvocationExpressionAttribute will be used as implementation) which is generated according @PreAuthorize.

PreInvocationExpressionAttribute#getAttribute() always return null, so RoleVoterAuthenticatedVoter do not vote it..


Using Spring Security 3.2, this worked for me.

. Change Role Prefix:.
<beans:bean id="roleVoter" class="">     <beans:property name="rolePrefix" value="NEW_PREFIX_"/> </beans:bean>  <beans:bean id="authenticatedVoter" class=""/>     <beans:bean id="accessDecisionManager" class="">     <beans:constructor-arg >         <beans:list>             <beans:ref bean="roleVoter"/>             <beans:ref bean="authenticatedVoter"/>         </beans:list>     </beans:constructor-arg> </beans:bean> 
Depending on where you want to apply the Role Prefix it can be applied at the Security schema level or bean level..
<http access-decision-manager-ref="accessDecisionManager" use-expressions="true"> 
Apply Role Prefix at Service Level:.
<beans:bean id="myService" class="">     <security:intercept-methods  access-decision-manager-ref="accessDecisionManager">         <security:protect access="NEW_PREFIX_ADMIN"/>     </security:intercept-methods> </beans:bean> 


This might also help:. Bassically, it says you have to write in grails-app/conf/spring/resources.groovy:.
roleVoter( {     rolePrefix = '' } 
It worked for me..

94 out of 100 based on 64 user ratings 814 reviews