Closed
Description
Summary
In GlobalMethodSecurityConfiguration, the RoleVoter.setRolePrefix() method is not configured with the GrantedAuthorityDefaults bean.
Actual Behavior
I created a GrantedAuthorityDefaults bean in my application with a blank role prefix ("") but methods using the @Secured annotation still tried to match the default ROLE_ prefix in the RoleVoter.
Expected Behavior
I would expect the RoleVoter.setRolePrefix() method to be called with configured with the rolePrefix in the GrantedAuthorityDefaults bean similar to how the Jsr250MethodSecurityMetadataSource class is configured.
Configuration
Spring Boot 1.5.3.RELEASE
Version
Spring Security 4.2.3.RELEASE
Sample
@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true, jsr250Enabled = true)
public class GlobalMethodSecurityConfigurer {
@Bean
public GrantedAuthorityDefaults grantedAuthorityDefaults() {
return new GrantedAuthorityDefaults("");
}
}
@Service
public class ShopperService {
@Secured("shopper")
@Transactional
public Shopper getShopper(String username) {
return shopperRepository.findOne(username);
}
}
Log output:
2017-11-27 21:10:09.008 DEBUG 70275 --- [nio-8080-exec-2] o.s.s.a.i.a.MethodSecurityInterceptor : Secure object: ReflectiveMethodInvocation: public Shopper ShopperService.getShopper(java.lang.String); target is of class [ShopperService]; Attributes: [shopper]
2017-11-27 21:10:20.653 DEBUG 70275 --- [nio-8080-exec-2] o.s.s.a.i.a.MethodSecurityInterceptor : Previously Authenticated: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@4c3395fc: Principal: org.springframework.security.core.userdetails.User@75a33cdd: Username: bonhamcm; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: shopper; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@ffff4c9c: RemoteIpAddress: fe80:0:0:0:0:0:0:1%1; SessionId: E6CC9F6FE8BE304F5789F6BC07D50557; Granted Authorities: shopper
2017-11-27 21:10:25.903 DEBUG 70275 --- [nio-8080-exec-2] o.s.s.access.vote.AffirmativeBased : Voter: org.springframework.security.access.prepost.PreInvocationAuthorizationAdviceVoter@474f1992, returned: 0
2017-11-27 21:10:30.510 DEBUG 70275 --- [nio-8080-exec-2] o.s.s.access.vote.AffirmativeBased : Voter: org.springframework.security.access.annotation.Jsr250Voter@7c7ff698, returned: 0
2017-11-27 21:10:34.238 DEBUG 70275 --- [nio-8080-exec-2] o.s.s.access.vote.AffirmativeBased : Voter: org.springframework.security.access.vote.RoleVoter@12ad043e, returned: 0
2017-11-27 21:10:37.743 DEBUG 70275 --- [nio-8080-exec-2] o.s.s.access.vote.AffirmativeBased : Voter: org.springframework.security.access.vote.AuthenticatedVoter@701403e9, returned: 0
...
2017-11-27 21:11:28.145 ERROR 70275 --- [nio-8080-exec-2] o.a.c.c.C.[Tomcat].[localhost].[/] : Exception
org.springframework.security.access.AccessDeniedException: Access is denied
at org.springframework.security.access.vote.AbstractAccessDecisionManager.checkAllowIfAllAbstainDecisions(AbstractAccessDecisionManager.java:70)
at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:89)
at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:233)
at org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor.invoke(MethodSecurityInterceptor.java:65)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179)
at org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:673)
at ShopperService$$EnhancerBySpringCGLIB$$101d7290.getShopper(<generated>)