EduSantos EduSantos - 6 months ago 627
Java Question

Spring Security hasAnyRole not working

I´m developing an application with spring security authentication and MongoDB. The authentication method is working fine but only with

ROLE_ADMIN
. All methods that I need authentication for are annotated with:

@PreAuthorize("hasAnyRole('ROLE_ADMIN', 'ROLE_USER')")


When I try to authenticate with a user that has
ROLE_USER
I always get access declined error.

My spring security config is:

<security:global-method-security pre-post-annotations="enabled" />
<security:http auto-config="true" use-expressions="true">
<intercept-url pattern="/login" access="permitAll" />
<intercept-url pattern="/logout" access="permitAll" />
<intercept-url pattern="/admin/**"
access="hasRole('ROLE_ADMIN') and hasRole('ROLE_USER')" />
<security:form-login login-page="/login" default-target-url="/admin/main"
authentication-failure-url="/accessdenied" />
<security:logout logout-success-url="/logout" />

<security:session-management>
<security:concurrency-control error-if-maximum-exceeded="true"
max-sessions="1"/>
</security:session-management>
</security:http>


If I use:

<intercept-url pattern="/admin/**" access="hasRole('ROLE_ADMIN') and hasRole('ROLE_USER')" />


I get access denied for both
ROLE_ADMIN
and
ROLE_USER
.

If I use:

<intercept-url pattern="/admin/**" access="hasAnyRole('ROLE_ADMIN', 'ROLE_USER')" />


I can log in with a
ROLE_ADMIN
user but I can´t with
ROLE_USER
.

and in my
LoginService
I have:

public UserDetails loadUserByUsername(String email)
throws UsernameNotFoundException {
boolean enabled = true;
boolean accountNonExpired = true;
boolean credentialsNonExpired = true;
boolean accountNonLocked = true;

User user = getUserDetail(email);

userdetails = new org.springframework.security.core.userdetails.User(
user.getEmail(), user.getPwd(), enabled,
accountNonExpired, credentialsNonExpired, accountNonLocked,
getAuthorities(user.getIsAdmin()));

return userdetails;
}

public List<GrantedAuthority> getAuthorities(Integer role) {
List<GrantedAuthority> authList = new ArrayList<GrantedAuthority>();
if (role.intValue() == 0) {
authList.add(new SimpleGrantedAuthority("ROLE_USER"));
} else if (role.intValue() == 1) {
authList.add(new SimpleGrantedAuthority("ROLE_ADMIN"));
}
System.out.println(authList);
return authList;
}


What am I missing?

Answer

When you have this kind of problem, please try first adding many System.out.println (or debug log) to see if your method is working, also change:

hasRole('ROLE_ADMIN') and hasRole('ROLE_USER')

for

hasRole('ROLE_ADMIN') or hasRole('ROLE_USER')

And check if the role.intValue() == 0 prints true with a sysout.

Comments