I am trying to setup Spring 3 security using JDBC auth. Everything is working fine apart from when I try to specify multiple access roles to an intercept-url. Eg I want anyone w
I had the same issue but used expressions to get around this issue:
You should embed
use-expressions="true"
in your existing config. So:
<security:http auto-config="true" access-denied-page="/denied.jsp" >
becomes
<security:http auto-config="true" access-denied-page="/denied.jsp" use-expressions="true">
And then:
<security:intercept-url pattern="/**" access="hasAnyRole('ROLE_USER','ROLE_ADMIN')" />
I am not sure about this problem, actually I am using it currently in my project and don't see an issue. try removing the space after the "," I mean try using ROLE_USER,ROLE_ADMIN
I decided to downgrade to Spring Security 2.0.5 without changing anything else to check whether this was a bug in 3, and lo-and-behold it was!
I think I also found a related open bug here - https://jira.springsource.org/browse/SEC-1342
Solution - use 2.0.5 if want to use this feature.
I had the same problem when was trying to migrate from Spring 3.x to 4.x. Finally I found that parameter "use-expressions" of "http" tag became "true" by default in Spring 4.x instead of false (as it was in old versions).
P.S. This question is very old for now, but I found this in Google. So somebody else can find it too and this info might be useful then.
I had the same problem and found the answer here.
Use that line to grant access to user with both roles: <security:intercept-url pattern="/**" access="hasRole('ROLE_USER') and hasRole('ROLE_ADMIN')" />
If you want to grant access to user with one of the listed roles, use: <security:intercept-url pattern="/**" access="hasAnyRole('ROLE_USER', 'ROLE_ADMIN')" />
Also, you need to add ability to use SpEL in your security *.xml, add use-expressions="true"
to <http>
tag.