We use a custom prefix for our roles (e.g. we want roles to be something like MYPREFIX_USER instead of ROLE_USER):
@Bean
public GrantedAuthorityDefaults grantedAuthorityDefaults() {
return new GrantedAuthorityDefaults("MYPREFIX_"));
}
If we define our security filter like below (with deprecated authorizeRequests), everything works as expected and the custom prefix is taken into account:
@Bean
public SecurityFilterChain myFilterChain(HttpSecurity http) throws Exception {
return http.authorizeRequests(c -> c.anyRequest().hasRole("USER")).formLogin(withDefaults());
}
If we change our code to use the recommended authorizeHttpRequests, then the custom prefix is ignored and ROLE_ is used instead:
@Bean
public SecurityFilterChain myFilterChain(HttpSecurity http) throws Exception {
return http.authorizeHttpRequests(c -> c.anyRequest().hasRole("USER")).formLogin(withDefaults());
}
Our workaround is to use something like :
@Bean
public SecurityFilterChain myFilterChain(HttpSecurity http) throws Exception {
return http.authorizeHttpRequests(c -> c.anyRequest().hasAuthority("MYPREFIX_USER")).formLogin(withDefaults());
}
Found in Spring Boot 3.1.0 / Spring Security 6.1.0
Comment From: marcusdacoregio
Hi @dmngb, thanks for the report.
We will consider adding this to the next minor version since this is a new, optional feature. As you mentioned, you can still get the old behavior by using hasAuthority. This is consistent with #12473.
However, there is nothing in the migration guide that mentions what users should do if they are changing the prefix and migrating to authorizeHttpRequests, for that I created #13227. I'll update the title of this issue to add the support for GrantedAuthorityDefaults in authorizeHttpRequests if you are okay with it.
Comment From: kandaguru17
@marcusdacoregio, Can I work on this one?
Comment From: marcusdacoregio
Absolutely @kandaguru17, it's yours.