Announcement Announcement Module
Collapse
No announcement yet.
Spring Security Plug-in: ROLE_ prefix mandatory? Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Spring Security Plug-in: ROLE_ prefix mandatory?

    Hi,

    I was experimenting with the security plug-in and things were just not working. Whenever I hit the secured controller, I would get the error:

    Code:
    EL1008E:(pos 0): Field or property 'AUTHORITY_CODE' cannot be found on object of type 'org.springframework.security.web.access.expression.WebSecurityExpressionRoot'
    I changed the authority to "ROLE_AUTHORITY_CODE" and things worked just fine!

    Why must authorities start with the "ROLE_" prefix? I find that to be an unnecessary constraint. Is there a good reason behind this?

    Regards,
    Tarek

  • #2
    Roles are processed by the RoleVoter and having a prefix lets the voter know which tokens are role names so it can ignore ones it can't process. For example you can specify "ROLE_ADMIN,IS_AUTHENTICATED_FULLY" but you wouldn't want that voter to process IS_AUTHENTICATED_FULLY - AuthenticatedVoter should handle that.

    It gets more complicated if you just use "IS_AUTHENTICATED_FULLY" since that should trigger a form authentication if you logged in with a remember-me cookie. But if you didn't use a prefix, then you would be denied access to that URL if you were logged in because you wouldn't have that 'role'.

    The name of the role is primarily an internal thing - if you want you can always strip off the ROLE_ prefix when displaying the role names in the UI.

    Comment


    • #3
      Thanks, Burt, for the clarification.

      I had assumed that was something specific to the plug-in, but when I read your explanation, it was clear that it was coming from Spring Security itself.

      That was strange, since in our last project, we were using v.2.0.5 and all our authority names did not start with "ROLE_".

      Upon checking the configuration, I found that someone from the team had added this:

      Code:
      	<bean id="roleVoter" class="org.springframework.security.vote.RoleVoter">
      		<property name="rolePrefix" value=""></property>
      	</bean>
      Mystery resolved

      Comment


      • #4
        You can do the same with this plugin, but the package changed from Spring Security 2 to 3, so it'd be

        Code:
        roleVoter(org.springframework.security.access.vote.RoleVoter) {
           rolePrefix = ''
        }
        This is using the Spring bean DSL since the bean override should go in grails-app/conf/spring/resources.groovy.

        Comment

        Working...
        X