I was investigating on how to create custom role prefix until I realized that it doesn't matter. As long as my role from my db matches something like:
<security:intercept-url pattern="/person/myProfile/**" access= "hasRole('BlaBla')" />
And it is not example, in db I literally set up role BlaBla to test and it works.
I don't like when I get different behavior - many people had problem of setting up custom prefix to create custom role. What happens in here and should I expect hidden rocks?
I have 3.0.7 release. And in my query for authorities I don't have 'default' values... Is it caused by version?
Probably you're using:
<http use-expressions="true">
that configures a WebExpressionVoter which will vote true for the users who have the granted authority "BlaBla" (in your case)
Remember that the Authorization for a secured object (an URL for instance) is performed by an AccessDecisionManager.
There are three concrete AccessDecisionManagers: affirmative, consensus and unanonimous.
For taking the decissions, they use a list of AccessDecissionVoters.
RoleVoter, the one that you expected, that has the rolePrefix configurable (ROLE_ by default), AuthenticatdVoter and the new WebExpressionVoter.
Don't forget that the combination of the AccessDecissionManager and its Voters could allow or deny the permission in a way that you'd think ilogical.
And I recommend you to debug the requests to see if the URL and the pattern matches as you expected.
来源:https://stackoverflow.com/questions/8314690/spring-security-role-prefix-no-longer-needed