All geek questions in one place

Spring security hasAnyRole not working

I am developing a spring and MongoDB security authentication application. The authentication method works fine, but only with ROLE_ADMIN . All methods that require authentication are annotated with:

@PreAuthorize("hasAnyRole('ROLE_ADMIN', 'ROLE_USER')")

When I try to authenticate with a user with ROLE_USER , I always get a rejection.

My spring security configurator:

 <security:global-method-security pre-post-annotations="enabled" /> <security:http auto-config="true" use-expressions="true"> <intercept-url pattern="/login" access="permitAll" /> <intercept-url pattern="/logout" access="permitAll" /> <intercept-url pattern="/admin/**" access="hasRole('ROLE_ADMIN') and hasRole('ROLE_USER')" /> <security:form-login login-page="/login" default-target-url="/admin/main" authentication-failure-url="/accessdenied" /> <security:logout logout-success-url="/logout" /> <security:session-management> <security:concurrency-control error-if-maximum-exceeded="true" max-sessions="1"/> </security:session-management> </security:http>

If I use:

 <intercept-url pattern="/admin/**" access="hasRole('ROLE_ADMIN') and hasRole('ROLE_USER')" />

I get access to failures for both ROLE_ADMIN and ROLE_USER .

If I use:

 <intercept-url pattern="/admin/**" access="hasAnyRole('ROLE_ADMIN', 'ROLE_USER')" />

I can log in with user ROLE_ADMIN , but I can not with ROLE_USER .

and in my LoginService I have:

 public UserDetails loadUserByUsername(String email) throws UsernameNotFoundException { boolean enabled = true; boolean accountNonExpired = true; boolean credentialsNonExpired = true; boolean accountNonLocked = true; User user = getUserDetail(email); userdetails = new org.springframework.security.core.userdetails.User( user.getEmail(), user.getPwd(), enabled, accountNonExpired, credentialsNonExpired, accountNonLocked, getAuthorities(user.getIsAdmin())); return userdetails; } public List<GrantedAuthority> getAuthorities(Integer role) { List<GrantedAuthority> authList = new ArrayList<GrantedAuthority>(); if (role.intValue() == 0) { authList.add(new SimpleGrantedAuthority("ROLE_USER")); } else if (role.intValue() == 1) { authList.add(new SimpleGrantedAuthority("ROLE_ADMIN")); } System.out.println(authList); return authList; }

What am I missing?

+5
source share
2 answers

If you have such a problem, try adding a lot of System.out.println (or the debug log) first to find out if your method works, and also change:

 hasRole('ROLE_ADMIN') and hasRole('ROLE_USER')

for

 hasRole('ROLE_ADMIN') or hasRole('ROLE_USER')

And check if role.intValue() == 0 prints true with sysout .

+2
source

it

 access="hasRole('ROLE_ADMIN') and hasRole('ROLE_USER')

means that both roles should be installed the same way, and the sample code shows that this will never happen because only one of the two roles can be installed.

This is another expression from hasAnyRole('ROLE_ADMIN', 'ROLE_USER') , which must be true if at least one of these roles is set. The hasAnyRole element hasAnyRole similar to the or not and condition.

+2
source

Source: https://habr.com/ru/post/1200471/

More articles:


All Articles