Spring Security: Case Insensitive Roles

问题

I have setup Spring Security in my Spring MVC based web application. However due to some external system restriction, I want the user roles to be in lowercase.

But when testing locally using In Memory Users, the application allows access only when authenticated user has roles in UPPER_CASE, and gives 403 as soon as I change the roles to lowercase.

Is there an such restriction to have roles only in upper-case. I can't find any mention of it in docs ?

I also found out about attribute lowercase-comparisons for filter-invocation-definition-source.. is this for comparison of URL or roles ?

Below is FilterSecurityInterceptor definition:

<bean id="fsi" class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor">
    <property name="authenticationManager" ref="authenticationManager" />
    <property name="accessDecisionManager" ref="accessDecisionManager" />
    <property name="objectDefinitionSource">
        <sec:filter-invocation-definition-source lowercase-comparisons="true">
            <sec:intercept-url pattern="/logout.jsp"            access="ROLE_ANONYMOUS" />
            <sec:intercept-url pattern="/welcome.htm"           access="ROLE_executer,ROLE_viewer,ROLE_admin_user" />

            <!-- Write Access -->
            <sec:intercept-url pattern="/addNewRecord.htm"      access="ROLE_executer,ROLE_admin_user" />
            <sec:intercept-url pattern="/updateRecord.htm"      access="ROLE_executer,ROLE_admin_user" />
            <sec:intercept-url pattern="/deleteRecord.htm"      access="ROLE_executer,ROLE_admin_user" />
            <sec:intercept-url pattern="/uploadFile.htm"        access="ROLE_executer,ROLE_admin_user" />

            <!-- Read Access to All Other-->
            <sec:intercept-url pattern="/**"                    access="ROLE_executer,ROLE_viewer,ROLE_admin_user"/>                        
        </sec:filter-invocation-definition-source>
    </property>
</bean> 

Thanks for any help.

回答1:

Roles don't have to be upper case. However, in a normal configuration, the RoleVoter looks for the prefix ROLE_, which is case sensitive. See this FAQ.

You can either configure the role voter to have an empty prefix (or a lower case one, if that's what you want), or you can use expression-based access - see this answer.

Alternatively, you can configure your AuthenticationProvider with a GrantedAuthoritiesMapper which converts the roles from your external system to values which can be consumed by Spring Security's RoleVoter - see this answer.

来源：https://stackoverflow.com/questions/23832510/spring-security-case-insensitive-roles