Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RoleVoter Configuration Defaults Prefix Using GrantedAuthorityDefauts #4876

Closed
bonhamcm opened this issue Nov 28, 2017 · 3 comments · Fixed by #6241
Closed

RoleVoter Configuration Defaults Prefix Using GrantedAuthorityDefauts #4876

bonhamcm opened this issue Nov 28, 2017 · 3 comments · Fixed by #6241
Assignees
@rwinch
Labels
in: core An issue in spring-security-core type: bug A general bug
Milestone
5.2.0.M1

Comments

@bonhamcm
Copy link
Contributor

Summary

In GlobalMethodSecurityConfiguration, the RoleVoter.setRolePrefix() method is not configured with the GrantedAuthorityDefaults bean.

Actual Behavior

I created a GrantedAuthorityDefaults bean in my application with a blank role prefix ("") but methods using the @Secured annotation still tried to match the default ROLE_ prefix in the RoleVoter.

Expected Behavior

I would expect the RoleVoter.setRolePrefix() method to be called with configured with the rolePrefix in the GrantedAuthorityDefaults bean similar to how the Jsr250MethodSecurityMetadataSource class is configured.

Configuration

Spring Boot 1.5.3.RELEASE

Version

Spring Security 4.2.3.RELEASE

Sample

@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true, jsr250Enabled = true)
public class GlobalMethodSecurityConfigurer {
    @Bean
    public GrantedAuthorityDefaults grantedAuthorityDefaults() {
        return new GrantedAuthorityDefaults("");
    }
}

@Service
public class ShopperService {
    @Secured("shopper")
    @Transactional
    public Shopper getShopper(String username) {
        return shopperRepository.findOne(username);
    }
}

Log output:

2017-11-27 21:10:09.008 DEBUG 70275 --- [nio-8080-exec-2] o.s.s.a.i.a.MethodSecurityInterceptor    : Secure object: ReflectiveMethodInvocation: public Shopper ShopperService.getShopper(java.lang.String); target is of class [ShopperService]; Attributes: [shopper]
2017-11-27 21:10:20.653 DEBUG 70275 --- [nio-8080-exec-2] o.s.s.a.i.a.MethodSecurityInterceptor    : Previously Authenticated: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@4c3395fc: Principal: org.springframework.security.core.userdetails.User@75a33cdd: Username: bonhamcm; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: shopper; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@ffff4c9c: RemoteIpAddress: fe80:0:0:0:0:0:0:1%1; SessionId: E6CC9F6FE8BE304F5789F6BC07D50557; Granted Authorities: shopper
2017-11-27 21:10:25.903 DEBUG 70275 --- [nio-8080-exec-2] o.s.s.access.vote.AffirmativeBased       : Voter: org.springframework.security.access.prepost.PreInvocationAuthorizationAdviceVoter@474f1992, returned: 0
2017-11-27 21:10:30.510 DEBUG 70275 --- [nio-8080-exec-2] o.s.s.access.vote.AffirmativeBased       : Voter: org.springframework.security.access.annotation.Jsr250Voter@7c7ff698, returned: 0
2017-11-27 21:10:34.238 DEBUG 70275 --- [nio-8080-exec-2] o.s.s.access.vote.AffirmativeBased       : Voter: org.springframework.security.access.vote.RoleVoter@12ad043e, returned: 0
2017-11-27 21:10:37.743 DEBUG 70275 --- [nio-8080-exec-2] o.s.s.access.vote.AffirmativeBased       : Voter: org.springframework.security.access.vote.AuthenticatedVoter@701403e9, returned: 0
...
2017-11-27 21:11:28.145 ERROR 70275 --- [nio-8080-exec-2] o.a.c.c.C.[Tomcat].[localhost].[/]     : Exception

org.springframework.security.access.AccessDeniedException: Access is denied
	at org.springframework.security.access.vote.AbstractAccessDecisionManager.checkAllowIfAllAbstainDecisions(AbstractAccessDecisionManager.java:70)
	at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:89)
	at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:233)
	at org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor.invoke(MethodSecurityInterceptor.java:65)
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179)
	at org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:673)
	at ShopperService$$EnhancerBySpringCGLIB$$101d7290.getShopper(<generated>)
@ollio
Copy link

ollio commented Nov 23, 2018

Same for me with Spring Boot 1.5.12.RELEASE and spring-boot-starter-security

@secured annotation not usable

@rwinch
Copy link
Member

rwinch commented Nov 28, 2018

If someone is interested in submitting a PR, I'd be happy to help them through it.

@rwinch rwinch added in: core An issue in spring-security-core status: ideal-for-contribution An issue that we actively are looking for someone to help us with labels Nov 28, 2018
@rwinch rwinch added this to the General Backlog milestone Nov 28, 2018
@rwinch rwinch added the type: bug A general bug label Nov 28, 2018
@dongmyo
Copy link
Contributor

dongmyo commented Dec 6, 2018

@rwinch I'd like to take it

@dongmyo dongmyo mentioned this issue Dec 6, 2018
Merged
@rwinch rwinch changed the title RoleVoter rolePrefix is not configured with GrantedAuthorityDefaults RoleVoter Configuration Defaults Prefix Using GrantedAuthorityDefauts Dec 6, 2018
dongmyo added a commit to dongmyo/spring-security-1 that referenced this issue Dec 7, 2018
@dongmyo
RoleVoter Configuration Defaults Prefix Using GrantedAuthorityDefauts
602a0f2 
Fixes: spring-projectsgh-4876
@rwinch rwinch modified the milestones: General Backlog, 5.2.0.M1 Dec 7, 2018
@rwinch rwinch self-assigned this Dec 7, 2018
rwinch pushed a commit that referenced this issue Dec 7, 2018
@dongmyo @rwinch
RoleVoter Configuration Defaults Prefix Using GrantedAuthorityDefauts
56eb658 
Fixes: gh-4876
@rwinch rwinch removed status: ideal-for-contribution An issue that we actively are looking for someone to help us with labels Jan 29, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rwinch rwinch

Labels
in: core An issue in spring-security-core type: bug A general bug
Projects
None yet
Milestone
5.2.0.M1
Development

Successfully merging a pull request may close this issue.

RoleVoter Configuration Defaults Prefix Using GrantedAuthorityDefauts dongmyo/spring-security-1
4 participants
@dongmyo @rwinch @ollio @bonhamcm