How do I use custom roles/authorities in Spring Security?

Question

While migrating a legacy application to spring security I got the following exception:

org.springframework.beans.factory.BeanCreationException: Error creatin         


        

Answer 1

You can also always using expression (by config use-expressions="true") to ignore ROLE_ prefix.

After reading Spring Security 3.1 source code, I found when use-expressions="true" :

For :
HttpConfigurationBuilder#createFilterSecurityInterceptor() will regist WebExpressionVoter but not RoleVoter、AuthenticatedVoter;

For : GlobalMethodSecurityBeanDefinitionParser#registerAccessManager() will regist PreInvocationAuthorizationAdviceVoter (conditionally), then always regist RoleVoter、AuthenticatedVoter, regist Jsr250Voter conditionally;

PreInvocationAuthorizationAdviceVoter will process PreInvocationAttribute （PreInvocationExpressionAttribute will be used as implementation） which is generated according @PreAuthorize. PreInvocationExpressionAttribute#getAttribute() always return null, so RoleVoter、AuthenticatedVoter do not vote it.