hasRole() not working error Http Status 403 - Access is denied

Question

Following is configuration in my security-config file:

<security:http use-expressions="true">
    <security:intercept-url pattern="/adminarea"
        access="hasRole('admin')" />
    <security:intercept-url pattern="/logincheck"
        access="permitAll" />
    <security:intercept-url pattern="/newaccount"
        access="permitAll" />
    <security:intercept-url pattern="/createnewaccount"
        access="permitAll" />
    <security:intercept-url pattern="/home"
        access="isAuthenticated()" />
    <security:intercept-url pattern="/static/**"
        access="permitAll" />
    <security:intercept-url pattern="/" access="permitAll" />
    <security:intercept-url pattern="/**" access="denyAll" />
    <security:form-login login-page="/"
        authentication-failure-url="/?error=true" default-target-url="/home" />
</security:http>

I am using spring default login which is working fine. But when I try to aceess /adminarea I get an Http Status 403 - Access is denied error. Any help.

Edited: AuthenticationManager

<security:authentication-manager>
    <security:authentication-provider>
        <security:jdbc-user-service
            data-source-ref="dataSource" />
    </security:authentication-provider>
</security:authentication-manager>

code on JSP:

<sec:authentication property="principal"/>
<sec:authorize access="hasRole('admin')">
    <a href="${pageContext.request.contextPath}/adminarea">Admin Area</a>
</sec:authorize>

first tag outputs following

rg.springframework.security.core.userdetails.User@6d8e08d5: Username: zubi@yahoo.com; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: admin

second tag outputs nothing.

Answer 1

I assume you have created the following tables

  create table users(
      username varchar_ignorecase(50) not null primary key,
      password varchar_ignorecase(50) not null,
      enabled boolean not null);

  create table authorities (
      username varchar_ignorecase(50) not null,
      authority varchar_ignorecase(50) not null,
      constraint fk_authorities_users foreign key(username) references users(username));
      create unique index ix_auth_username on authorities (username,authority);

Which are required by above authentication manager configuration in your application context xml.

And you have inserted role admin into authorities table.

Answer 2

I fixed the problem by setting role in DB as ROLE_XXX or in my case ROLE_ADMIN . And then using the following code:

security configuration:

<security:intercept-url pattern="/adminarea"
        access="hasRole('ROLE_ADMIN')" />

JSP:

<sec:authorize access="hasRole('ROLE_ADMIN')">
    <a href="${pageContext.request.contextPath}/adminarea">Admin Area</a>
</sec:authorize>

From my experimenting to get it work. I guess roles defined need to be in CAPITAL and should be prefixed with ROLE_ .

Hope it helps anybody running into this problem.