Spring security 4 @PreAuthorize(hasAuthority()) access denied
Solution 1
Although it's late, nevertheless
hasRole(...)
set a prefix for the the content - the default one is ROLE_
hasAuthority(...)
checks the content WITHOUT a prefix, i.e. just the pure content
Solution 2
You should add in Spring security
@EnableGlobalMethodSecurity(prePostEnabled = true)
Solution 3
Try this @PreAuthorize("hasRole('ROLE_ADMIN')")
ericcire
Updated on June 25, 2022Comments
-
ericcire almost 2 years
I am trying to convert a Spring Security 3 @Secured("admin") annotation into Spring Security 4 compatible fashion.
This is my
usersService.java
@PreAuthorize("hasAuthority('admin')") public List<User> getAllUsers() { return usersDao.getAllUsers(); }
Then in
security-context.xml
I have:<security:intercept-url pattern="/admin" access="permitAll" /> ... <security:global-method-security pre-post-annotations="enabled" />
getAllUsers()
is called by aLoginController.java
@RequestMapping("/admin") public String showAdmin(Model model) { List<User> users = usersService.getAllUsers(); model.addAttribute("users", users); return "admin"; }
In mySql database, there are two tables, users and authorities.
authorities
has 2 columns, username and authority.administrator
has authorityadmin
.Now if I trie to access
/admin
, I will be redirected to/login
, but after I log in withadministrator
, I still get "access denied".I think I must have missed something very basic but as I am new to Spring, I could not figure it out. Any help would be appreciated. Thanks.
Update: I tried changing the annotation to @PreAuthorize("hasRole('ROLE_ADMIN')") and I also changed the "authority" column in mySql for admin from "admin" to "ROLE_ADMIN" but it still gives me 403. I did not have much faith on this because before this error, I had to change
hasRole('admin')
insecurityContext.xml
tohasAuthority('admin')
.