Spring Security AuthorizeHttpRequestsConfigurer#XXXrole methods should ensure the role does not begin with the role prefix

Similar to how User.UserBuilder works, configuration should fail if configurations like the following are attempted:

hasRole('ROLE_USER')
hasAnyRole('ROLE_USER')

Otherwise, scenarios like this SO question crop up.

Comment From: bist220

Can I work on this?

Comment From: bist220

submitted a pr #12760

Comment From: super-iterator

When this PR is expected to be mainstreamed?

Comment From: super-iterator

I'd like to add that in addition to this issue, hasAuthority('ROLE_USER') doesn't work, and I have to use either hasAnyRole('ROLE_USER') or hasRole('ROLE_USER') with the ROLE_ prefix for this to work. I hope that both issues will be considered.

Comment From: bist220

hasAuthority("ROLE_USER") works fine, atleast in 6.0.1 Also hasAnyRole or hasRole should not start with ROLE_ prefix

Comment From: super-iterator

I'm using 6.0.2 and it doesn't work for (talking about hasAuthority)

Comment From: bist220

can you show your config file, if possible, or some code snippet?

Comment From: super-iterator

It turned out that the Spring Resource Server decoder was adding a ROLE_ prefix, which messed the whole thing up. I also updated to the most recent Spring version 6.0.5, and now I have hasRole, hasAnyRole, and hasAuthority work as they should.