Spring Security Authorization - Admin is denied access
As the error message indicates,
Failed to parse expression 'hasRole('ROLE_USER' 'ROLE_ADMIN')
You need to use hasAnyRole() with a comma separated list of authorities.
Returns true if the current principal has any of the supplied roles (given as a comma-separated list of strings), see
So change
<intercept-url pattern='/main/home/' access="hasRole('ROLE_USER' 'ROLE_ADMIN')" />
to
<intercept-url pattern='/main/home/' access="hasAnyRole('ROLE_USER', 'ROLE_ADMIN')" />
Since, you have set use-expressions to true, you need to change
IS_AUTHENTICATED_ANONYMOUSLY
to
isAnonymous()
user2259555
Updated on June 30, 2022Comments
-
user2259555 almost 2 years
The authorization for the role admin is being denied access to the whole system - the admin and home pages. So I added ROLE_ADMIN to the /main/home intercept-url.
This is the security xml
<http auto-config="true" use-expressions="true"> <intercept-url pattern="/**" requires-channel="https" /> <intercept-url pattern='/main/home/' access="hasRole('ROLE_USER' 'ROLE_ADMIN')" /> <intercept-url pattern='/admin/admin/**' access="hasRole('ROLE_ADMIN')" /> <intercept-url pattern='/main/user/setter/settingpage' access="hasRole('ROLE_USER')" /> <intercept-url pattern='/main/user/setter/addpage' access="hasRole('ROLE_USER')" /> <intercept-url pattern='/login.jsp' access='IS_AUTHENTICATED_ANONYMOUSLY' /> <form-login login-page="/login.jsp" default-target-url="/main/home" authentication-failure-url="/auth/loginfail?error=true"/> </http>But that made the whole program stop working as When I run the code as it is the error is
Failed to parse expression 'hasRole('ROLE_USER' 'ROLE_ADMIN')'
When I do remove the
ROLE_ADMINthe system works and can authenticate users just not theROLE_ADMINwho is now being denied access to all pages. In the db I have set up the roles and it was working until recently.