将应用程序从Spring Security 3迁移到4，面临RoleVoter类的问题

Question

We are upgrading our application from Spring 3.0.1 to Spring 4.1.6. We are also upgrading Spring Security Module to 4.0.1

The problem that we are facing is with access to links.

Little Background:

Each link is tagged to a certain ROLE, to access a link user needs to have that ROLE

<security:http  auto-config="false" access-decision-manager-ref="urlAccessDecisionManager" entry-point-ref="authenticationEntryPoint" use-expressions="true">
    <security:access-denied-handler error-page="/admin/error.html" /> 
    <security:csrf disabled="true"/>
    <security:session-management invalid-session-url="/admin/sign-in.html" >
       <!--<concurrency-control max-sessions="1" error-if-maximum-exceeded="true" />  -->
    </security:session-management>
    <security:form-login login-page="/admin/sign-in.html" authentication-success-handler-ref="loginSuccessHandler" default-target-url="/admin/index.html"
                         username-parameter="j_username"
                         password-parameter="j_password"
                         login-processing-url="/j_spring_security_check"
                         always-use-default-target="false"
                         authentication-failure-url="/admin/sign-in.html?error=1" />

    <security:logout logout-url="/admin/logout.html" invalidate-session="true" logout-success-url="/admin/sign-in.html"/>   
    <security:intercept-url pattern="/admin/index.html*" access="ROLE_ADMIN_OVERALL_DASHBOARD" />
    <security:intercept-url pattern="/admin/accounts/index.html*" access="ROLE_ADMIN_ACCOUNT_LISTING" />
     ......
     ......
     ......

  </security:http>

For making the access decision we have urlAccessDecisionManager , along with three voters as shown below:

<bean id="roleVoter" class="org.springframework.security.access.vote.RoleVoter"/>
<bean id="urlAccessDecisionManager" class="org.springframework.security.access.vote.UnanimousBased">
    <constructor-arg>
        <list>
            <ref bean="roleVoter" />
            <bean class="org.springframework.security.access.vote.AuthenticatedVoter"/>
            <ref bean="urlCustomVoter"/>
        </list>
    </constructor-arg>
    </bean>

The issue is that RoleVoter is not working even though the role start with 'ROLE_'(found out this after reading different blogs and questions) . So to find the problem i debugged the spring security source and found out that supports() method of RoleVoter was returning false.So i looked into the method further:

public boolean supports(ConfigAttribute attribute) {
        if ((attribute.getAttribute() != null)
                && attribute.getAttribute().startsWith(getRolePrefix())) {
            return true;
        }
        else {
            return false;
        }
    }

It turned out that attribute.getAttribute() was returning NULL because the attribute was object of type WebExpressionConfigAttribute , which by default returns NULL for getAttributed() method.

At the same time i debugged our old code which is using Spring Security 3.0.1 , and found that in the old code the attribute object was of type SecurityConfig .

So can someone please point out what configuration mistake we have made because of which the user is not able to get access to link even though he has all ROLES tagged to him.

Answer 1

The Spring Security 4.x Migration Guide refers to a sample project on Github showing changes required to the XML configuration for enforcing specific roles on URLs.

As per the sample, the line:

<security:intercept-url pattern="/admin/index.html*"
                        access="ROLE_ADMIN_OVERALL_DASHBOARD" />

needs to be changed to:

<security:intercept-url pattern="/admin/index.html*" 
                        access="hasRole('ROLE_ADMIN_OVERALL_DASHBOARD')" />

(the role name needs to be wrapped in a call to hasRole() .

With Spring Security 4.x, the ROLE_ prefix can also be omitted from the role name as the fix for the Spring JIRA 2758 ensures that the prefix is automatically applied to role names without that prefix.