Spring Security JSP授权标签不起作用

Question

I have following spring security configurations:

<security:http auto-config="true">  
    <security:intercept-url pattern="/**" access="permitAll" />
    <security:form-login 
        login-processing-url="/j_spring_security_check"
        login-page="/login" 
        default-target-url="/" 
        authentication-failure-url="/login?error"
        username-parameter="login"
        password-parameter="password" />  
    <security:logout logout-url="/j_spring_security_logout" logout-success-url="/login" />
    <security:csrf disabled="true"/>
</security:http>

I want to make specific page(let's say index page("/")) accessible for everybody(both authenticated and non-authenticated users), but, at the same time, be able to manage which parts should be seen in jsp depending on whether user is authenticated or not, and its roles.

My jsp part looks like this:

<%@ page contentType="text/html" pageEncoding="UTF-8"%>
<%@ taglib prefix="spring" uri="http://www.springframework.org/tags"%>
<%@ taglib prefix="form" uri="http://www.springframework.org/tags/form"%>
<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
<%@ taglib prefix="sec" uri="http://www.springframework.org/security/tags" %>
<%@ taglib prefix="t" tagdir="/WEB-INF/tags" %>

<t:main>
    <jsp:attribute name="title">
        Posts
    </jsp:attribute>
    <jsp:body>
        <sec:authorize access="hasRole('ADMIN')">
            <a href="/blog/createPost">Create post</a>
        </sec:authorize>

        <br>

        <c:forEach var="post" items="${posts}">
            <hr width="300" align="left">
            <div>
                <h4><a href="/blog/viewPost/${post.id}">${post.title}</a></h4>
                <div>${post.content}</div>
            </div>
        </c:forEach>
    </jsp:body>
</t:main>

All authentication mechanism works fine. The problem is that, the link is never displayed, even if I log in using 'ADMIN' role .

I tried debugging my UserDetailsService implementation and verified that 'ADMIN' role is successfully fetched and filled into userdetails:

@Override
public UserDetails loadUserByUsername(String login) throws UsernameNotFoundException {
    User user = userDao.findOneByLogin(login);

    if (user == null) {
        throw new UsernameNotFoundException(login + " not found");
    }

    List<GrantedAuthority> authList = new ArrayList<>();
    List<Role> roles = user.getRoles();

    for (Role role : roles) {
        authList.add(new SimpleGrantedAuthority(role.getName()));
    }

    return new org.springframework.security.core.userdetails.User(
            user.getLogin(), user.getPassword(), authList);
}

Thanks, in advance!

Answer 1

After a few hours of searching and reading Spring Security 4 docs, finally, I realized the reason of the problem.

Here is some info from spring docs:

hasRole([role])

Returns true if the current principal has the specified role. By default if the supplied role does not start with 'ROLE_' it will be added. This can be customized by modifying the defaultRolePrefix on DefaultWebSecurityExpressionHandler.

hasAuthority([authority])

Returns true if the current principal has the specified authority.

So, according to the statements above, we can conclude that, by default, Spring Security 4 expects all your "roles" to start with "ROLE_" prefix, while all others are threated as simple authorities/permissions.

In my case I had "ADMIN" role saved in database, and whenever I tried checking role like hasRole('ADMIN') Spring was converting this to hasRole('ROLE_ADMIN') , thus evaluating this expression to false.

There are two types of fixes here, either I rename my 'ADMIN' role to 'ROLE_ADMIN' (as Spring expects it) in database or use hasAuthority('ADMIN') expression instead.

Answer 2

Your problem seems to be in the configuration. In order to use hasRole , hasAnyRole expressions you need to set use-expressions="true" in the security:http tag.

<security:http auto-config="true" use-expressions="true">  

Else you have to directly use the role name directly in your security tag,

<sec:authorize access="ADMIN">
    <a href="/blog/createPost">Create post</a>
</sec:authorize>