Announcement Announcement Module
Collapse
No announcement yet.
sec:authorize, configuration and roles with version 3.1.2 Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • sec:authorize, configuration and roles with version 3.1.2

    Using spring-security, I have a custom UserDetailsService, returning the following UserDetails:
    Code:
        ...
        HashSet<SimpleGrantedAuthority> authSet = new HashSet<SimpleGrantedAuthority>();
        authSet.add(new SimpleGrantedAuthority("ROLE_USER"));
    
        if(user.isAdmin()){
            authSet.add(new SimpleGrantedAuthority("ROLE_ADMIN"));
        }
    
        return new User(user.getUsername(), user.getPassword(), 
            user.isActive(), !user.isExpired(), !user.isCredentialsExpired(),
            !user.isLocked(), authSet);
    In the security config file, I have the following:
    Code:
        <http use-expressions="true">
            <intercept-url pattern="/admin/**" access="hasRole('ROLE_ADMIN')" />
            ...
    And in a JSP page, the following code:
    Code:
        <sec:authorize access="hasRole('ROLE_ADMIN')">
            <h4><a href="/admin/balances">Admin</a></h4>
        </sec:authorize>
    With spring-security-3.1.1 everything is working as expected, but with versions 3.1.2 & 3.1.3, users with ADMIN_ROLE can't see the link neither has access to the URL directly in the browser.

    Please, could you tell me if I'm doing something wrong? Or maybe could be a bug?
    I'm looking at release notes for the new versions but can't find any specific mention about if something changed about this.

    Thanks in advance.

  • #2
    The problem seems to be related with the custom SignInAdapter. Initially, I was using the following code:
    Code:
    UsernamePasswordAuthenticationToken auth = new UsernamePasswordAuthenticationToken(user.getUsername(), user.getPassword(), null);
    I've changed the code to save the whole User object as the principal:
    Code:
    UsernamePasswordAuthenticationToken auth = new UsernamePasswordAuthenticationToken(user, user.getPassword(), user.getAuthorities());
    I'm wondering why it seems to work sometimes with the previous code, but now it's working with every recent version of spring-security.

    Comment

    Working...
    X