https://github.com/spring-projects/spring-security/blob/e79b6b3ac887f0abda68967b70c1aa3aa0aa62bd/core/src/main/java/org/springframework/security/core/userdetails/User.java#L416
Current State
UseCase: A provided rolePrefix on GrantedAuthorityDefaults Bean in combination with inMemoryAuthentication gives unexpected behavior.
http.authorizeRequests() .anyRequest().hasRole(TEST_ROLE) This will apply default rolePrefix ("MY_PREFIX_") defined by GrantedAuthorityDefaults.
But auth.inMemoryAuthentication().withUser("test").password("test").roles(TEST_ROLE); always prefixes "ROLE_" disregarding any set default rolePrefix resulting in unexpected Unauthorized response
@Bean
public GrantedAuthorityDefaults grantedAuthorityDefaults() {
return new GrantedAuthorityDefaults("MY_PREFIX_");
}
public static class SomeInMemorySecurityConfig extends WebSecurityConfigurerAdapter {
public static final String TEST_ROLE = "test";
@Override
protected void configure(HttpSecurity http) throws Exception {
http.antMatcher("/test/**")
.authorizeRequests()
.anyRequest().hasRole(TEST_ROLE)
.and()
.httpBasic();
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication().withUser("user").password("passw").roles(TEST_ROLE);
}
}
Suggestion
Make use of set default prefix when applying Prefix to roles(....)
Comment From: nor-ek
Hey ✋ You can assign me to this.
Comment From: eleftherias
Thanks @nor-ek! Please hold off for now as I'm still considering what the intended behavior is.
Comment From: SvenDhaens
If you need me to do anything lemme know.
Comment From: sjohnr
Hi @SvenDhaens, it looks like this issue doesn't have an answer for what the intended behavior is. I've not done any research yet, so pardon any missing context here. To your knowledge, is this issue just a symptom of the fact that GrantedAuthorityDefaults is only honored when the role is checked during authorization? Are there other places in the framework you think this @Bean should be taken into account but isn't?
Also, given the deprecation of WebSecurityConfigurerAdapter and the suggestion to migrate in-memory authentication to a UserDetailsService @Bean, what is the priority of this issue for you?
Comment From: spring-projects-issues
If you would like us to look at this issue, please provide the requested information.
Comment From: spring-projects-issues
If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed.
Comment From: sjohnr
Hi @SvenDhaens. Did you happen to see my above question?
Also, given the deprecation of WebSecurityConfigurerAdapter and the suggestion to migrate in-memory authentication to a UserDetailsService @Bean, what is the priority of this issue for you?
Comment From: spring-projects-issues
If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed.
Comment From: SvenDhaens
@sjohnr We use this for a specific endpoint that is only used for admin purposes. In that sense a UserdetailService seems a little overkill maybe? Anyway, like you said WebSecurityConfigurerAdapter got deprecated so I need to take a look into the new way of things. As for priority, we have a workaround for this specific case and since we might take up your suggestions this is not a priority for us.
Comment From: sjohnr
As this issue has not received any additional feedback in some time, I'm going to close this issue. If anyone has additional feedback such that this issue should be reopened, we can evaluate at that time.